Home > Uncategorized > Winning Senior Management Support

Winning Senior Management Support

Too many information security managers are fighting an uphill battle that they will never win. No matter how good efforts to plan, implement and monitor projects designed to mitigate security-related risk are, they are unable to narrow the gap between actual and desired levels of risk. Why? Much too often the reason is lack of senior management support.

The need for senior management support in information security is critical to success, yet obtaining it is elusive. Senior management seems to be perpetually fighting an abundance of proverbial fires; information security-related risk is only one of many is one of many such fires that need attention. Additionally, resources are invariably limited; information security managers must compete with many other worthy functions for resources. Winning the attention of senior management is thus difficult, but winning the support of senior management is even more so.

What amazes me is that many information security managers whose security practices do not have the support of senior management seem to give up instead of doing something constructive about it. Granted—interfacing with senior management requires special levels of tact and skills, attributes that relatively few individuals possess. Some security professionals effectively shut themselves off from communication with senior management, however, by conveying a “the sky is falling” message to senior management. The fact that many potentially catastrophic security risks exist is a given and some of them will persist at unacceptable levels despite sound risk management practices. Adopting an alarmist approach is, however, extremely unwise in that it amounts to handwaving, something effective senior managers eschew. Additionally, psychologists have coined the term “learned helplessness” to refer to organisms that when faced with unavoidable stress or punishment quit trying to engage in avoidance behavior over time. I suspect that some information security managers develop learned helplessness when they learn that they do not have nearly as much control and authority in their positions as they need.

There is no silver bullet when it comes to winning senior management support, but a few methods have a much higher probability of success than others. Adopting a business perspective—knowing the nature of the business, business drivers, and business initiatives of and within one’s organization and communicating with senior management accordingly—is the wisest approach of all. Senior management, after all, is in charge of the business; interfacing with senior management in terms of constructs they know, understand and value generally has high payoff. Similarly, educating senior management concerning the business impacts of security risks and building cost-benefit justifications for security-related resource investments is very likely to result in success. Senior managers are not likely to have much exposure to information security-related issues, and information security managers are in the best position to educate them. Another method is working with senior management to set performance goals and measurement methods, then taking measurements such as key performance goals and key performance indicators at agreed upon intervals to determine whether information security is providing sufficient value. Senior management thinks numerically, and the more numerical performance measurements are, the more likely senior management is to conclude that an information security program has been successful.

This posting is by no means intended to describe comprehensive coverage of methods that can be used to win senior management support. I have instead mentioned three of the most time-proven methods. Regardless of which method works better under which conditions, one fact remains true—if you want senior management support, don’t expect it to be handed to you like a blank check. You’ve got to earn it. The trick is developing a sound strategy for earning it. 

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.