Don't assume stakeholders outside security understand your goals and priorities, but consider how you'll communicate with them to gain their support.
March 27, 2023
5 Min Read
Source: Rawpixel Ltd. via iStock
In the two decades I've spent in cybersecurity, I've observed and experienced the fighting spirit of security professionals: When tasked with safeguarding information assets, we envision ourselves erecting defenses to keep threat actors at bay, or we emulate malicious actions to find flaws in the organization's security measures before attackers exploit them. We fight.
The combative mindset of security professionals finds its way into our interactions with colleagues within our organization. We witness and sometimes contribute to conflicting opinions regarding the urgency with which security issues should be addressed, and we disagree on the best ways to address security risks. And we fight for a share of the budget that might shrink if other departments' needs are prioritized above our own.
This cybersecurity vs. everyone way of operating is counterproductive because it contributes to security professionals being seen as detractors and distractors. To succeed in today's workplace, we must operate as business enablers, not blockers. We can do this by adjusting our mindset, developing empathy for the role and objectives of colleagues throughout the organization, and communicating security benefits in business terms.
Collaboration: The Future of Security
Security teams are often seen as separate entities by the rest of the organization. To increase integration and understanding, all teams at the company need to have open conversations about their shared goals and objectives. After all, each team may have different skill sets and roles, but both ultimately want the organization to succeed.
Start here: Have those in each team define what success looks like to them. Then look at how that can be achieved within the context of broader business objectives. Differences are OK and expected, but finding the thread that ties us together is the only way to find common ground. Looking at wider business objectives makes it easier to understand how teams can work together to shift the organization closer to those goals.
Agreeing on shared objectives — while recognizing each team's unique roles and interdependencies — will allow everyone to collaborate more smoothly.
Invest in Persuasion, Communication for Security Buy-in
Like it or not, cybersecurity leaders often have to work harder than others to justify our presence and initiatives. Yet our initiatives often span multiple departments and depend on buy-in from other executives. Therefore, we need to put extra care into how we persuade and communicate outside the security team to get support for our efforts.
To gain others' support for a security request or project, there are multiple considerations.
Who needs persuading? Understand the dependencies of your security effort to determine which teams — and which specific individuals — are stakeholders in your effort. Depending on whether they'll be initially supportive or skeptical, you'll need to tailor your communications accordingly.
What are their objectives? Presumably, you already understand why you're pursuing a particular security project, but how does it support the needs of your stakeholders outside security? Understand what's important to them, so they'll be more inclined to support you.
What do they need to know? Some want to see technical details, but not everyone. Some people focus on costs, others on revenue, others don't think in financial terms at all. Present the information appropriate for the individual to get their buy-in.
Why should they trust you? Whether you're seeking funding, expertise, or time from others, consider how you'll demonstrate that their support will not go to waste. To signal credibility, present metrics from earlier security projects or point to your initiatives that succeeded in the past.
Instead of assuming that others understand what you're looking to achieve and why the effort is important, consider what steps you'll take to persuade and communicate with non-security stakeholders to gain their support.
Link to Business Needs in Budget Discussions
The importance of positioning security in business, rather than technology terms is most important during budget discussions. While it's good news that cybersecurity is one area where spending remains fairly stable, any security leader needs to firmly justify their requests.
Start by answering the persuasion and communication questions above to establish the foundation for your budget discussion with the CFO or other relevant parties.
Next, understand the business scenarios that the company is considering for its next year: Is the organization expecting its revenue to shrink? Will some product lines likely expand? Any changes in the geographic regions the company services? Can you expect business as usual, or will the company's activities likely to experience significant disruption?
Continue by outlining your security objectives, then link them to the company's business objectives. Since the exact future is unknown, be prepared to discuss how your requests might change based on the scenario in which your company might find itself. For example, if the firm might open an office in a new country, you might need to hire a security person to support that region. Or if your firm will introduce a new product, you might need to fund the training of your application security team in the corresponding technologies.
Be ready to not only clarify how the security expense item benefits the company but also why now is the time to invest in that project, person, or initiative. Explain how the company might be affected if that item doesn't get funded, but do so without spreading fear, uncertainty, and doubt, which often dominate security discussions with stakeholders.
About the Author(s)
Chief Information Security Officer, Axonius
Lenny Zeltser is the CISO at Axonius, a leader in cybersecurity asset management. Prior to Axonius, he led security product management at Minerva Labs and NCR. Before that, he spearheaded the US security consulting practice at a leading cloud services provider acquired by CenturyLink. He also helps shape global cybersecurity practices by teaching at SANS Institute and sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. He is also on the Board of Directors of the SANS Technology Institute.
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics