Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Connect Directly
E-Mail vvv

Solving the Leadership Buy-In Impasse With Data

Justify your requirements with real numbers to get support for security investments.

Are you having trouble receiving buy-in from senior leadership for your security programs? Are you having difficulty obtaining funding for your programs outside of the usual three G's — guards, guns, and gates? Let me share how I have been successful in gaining buy-in for investing in security from senior leadership.

The goal is to focus on changing senior leadership's mindset and culture. How do I do it? The answer is data. Security is in the customer service business. Our customers drive the services that we provide to our organization. Data tells our story. Most senior leaders do not understand the depths of security and our daily duties. Security typically operates in a vacuum, which makes it difficult to tell our story. And if we are unable to tell our story, we will never receive buy-in from leadership. Still not sold? Allow me to elaborate.

Related Content:

How to Boost Executive Buy-In for Security Investments

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

For each security program you have, start tracking each service you provide. A perfect example of this would be how law enforcement tracks its calls for service. For instance, when a dispatcher sends a police officer to a call, that call is recorded in a tracker that is used to generate working hours at the end of the calendar year.

You can apply the same concept to each of your IT security programs. For example, in February, the Security Department's Identity Credentialing and Access Management (ICAM) program compiled the following numbers for ID cards:

  • New Issuance: 83 
  • Pin Resets: 43
  • Physical Access Control Mapping: 84
  • Certificate Updates: 37
  • Lost/Stolen/Missing Card Replacements: 12
  • ID Card Destructions: 7
  • Employee Separations: 8
  • Employee Onboarding: 12

Now, imagine tracking the services for all your security programs, administrative taskers, staff hours, and so on. Sure, there will be growing pains when you're formulating a tracking sheet and asking your staff to take on the added workload. I can assure you, though, that the extra effort is worth it and will return on your investment of time.

Another benefit to the process of recording these numbers monthly is that your senior security officer can also use this data to provide weekly, monthly, and year-end reports to senior staff. Having the ability to provide data, at any given time, for essential security services is vital to the organization and its mission.

The most significant element is that you now have the data to justify your security program's needs. The data will also help security officials determine whether security programs provide value to an organization or cost them unnecessary funds that could save the organization money. Reallocating that funding could benefit other areas of the organization, including procuring security equipment, systems, or even training. That data could also be used to justify staffing needs.

Most importantly, the goal is to let the data tell your security program's story and defeat the old mindset that security is only about the three G's.

Note from author: The views expressed in the article do not necessarily represent the views of the agency or the United States.

Richard Amburgey is a Chief Security Officer (CSO), leading, advising, and coordinating security operations, protecting the Bureau of Labor Statistics (BLS). After nearly 20 years in security and law enforcement for government agencies, Richard understands the importance of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.