Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Connect Directly
E-Mail vvv

Solving the Leadership Buy-In Impasse With Data

Justify your requirements with real numbers to get support for security investments.

Are you having trouble receiving buy-in from senior leadership for your security programs? Are you having difficulty obtaining funding for your programs outside of the usual three G's — guards, guns, and gates? Let me share how I have been successful in gaining buy-in for investing in security from senior leadership.

The goal is to focus on changing senior leadership's mindset and culture. How do I do it? The answer is data. Security is in the customer service business. Our customers drive the services that we provide to our organization. Data tells our story. Most senior leaders do not understand the depths of security and our daily duties. Security typically operates in a vacuum, which makes it difficult to tell our story. And if we are unable to tell our story, we will never receive buy-in from leadership. Still not sold? Allow me to elaborate.

Related Content:

How to Boost Executive Buy-In for Security Investments

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

For each security program you have, start tracking each service you provide. A perfect example of this would be how law enforcement tracks its calls for service. For instance, when a dispatcher sends a police officer to a call, that call is recorded in a tracker that is used to generate working hours at the end of the calendar year.

You can apply the same concept to each of your IT security programs. For example, in February, the Security Department's Identity Credentialing and Access Management (ICAM) program compiled the following numbers for ID cards:

  • New Issuance: 83 
  • Pin Resets: 43
  • Physical Access Control Mapping: 84
  • Certificate Updates: 37
  • Lost/Stolen/Missing Card Replacements: 12
  • ID Card Destructions: 7
  • Employee Separations: 8
  • Employee Onboarding: 12

Now, imagine tracking the services for all your security programs, administrative taskers, staff hours, and so on. Sure, there will be growing pains when you're formulating a tracking sheet and asking your staff to take on the added workload. I can assure you, though, that the extra effort is worth it and will return on your investment of time.

Another benefit to the process of recording these numbers monthly is that your senior security officer can also use this data to provide weekly, monthly, and year-end reports to senior staff. Having the ability to provide data, at any given time, for essential security services is vital to the organization and its mission.

The most significant element is that you now have the data to justify your security program's needs. The data will also help security officials determine whether security programs provide value to an organization or cost them unnecessary funds that could save the organization money. Reallocating that funding could benefit other areas of the organization, including procuring security equipment, systems, or even training. That data could also be used to justify staffing needs.

Most importantly, the goal is to let the data tell your security program's story and defeat the old mindset that security is only about the three G's.

Note from author: The views expressed in the article do not necessarily represent the views of the agency or the United States.

Richard Amburgey is a Chief Security Officer (CSO), leading, advising, and coordinating security operations, protecting the Bureau of Labor Statistics (BLS). After nearly 20 years in security and law enforcement for government agencies, Richard understands the importance of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-01
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
PUBLISHED: 2023-02-01
Dell BIOS contains a heap buffer overflow vulnerability. A local attacker with admin privileges could potentially exploit this vulnerability to perform an arbitrary write to SMRAM during SMM.
PUBLISHED: 2023-02-01
Dell Rugged Control Center, versions prior to 4.5, contain an Improper Input Validation in the Service EndPoint. A Local Low Privilege attacker could potentially exploit this vulnerability, leading to an Escalation of privileges.
PUBLISHED: 2023-02-01
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in download operation component. A local malicious user could potentially exploit this vulnerability leading to the disclo...
PUBLISHED: 2023-02-01
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a improper verification of cryptographic signature in get applicable driver component. A local malicious user could potentially exploit this vulnerability leading to malicious payload execution.