How to get top management support for security projects?

Question

I am facing an issue regarding security projects, for example: last year we bought an antivirus licence for 500 (end point security), and made a policy in order to force everyone to install it, however, at the end of year, we found out that only 50 users were using the antivirus properly.

I have discussed this issue and others regarding digital security, but the top management is not supporting us very well.

I want to get full support from management, but I am confused about the way to do it.

Additional Information:

• Organization: ISP provider.
• Size: 1000 employees
• My role: IT Security Manager/Technical
• Reporting to: IT Manager, Technical Director, CEO
• Is there a role/function dedicated to information security and/or information management ? This is still unclear, and all security projects started when I joined the company.

Answer 1

Although there are exceptions, generally managers do things for one of two reasons:

1. Doing it will make them look good
2. Not doing it will make them look bad

Now apply this to your management to see who the key stakeholders are:

• Stakeholder 1: Somebody's allocated money for anti-virus, which ought to make the manager who owns the AV look good. However, if nobody is using it that will make them look bad if it gets out.
• Stakeholder 2: If the company was hacked because AV was not installed someone will look bad.
• Stakeholder 3: The company has spent money on AV because the financial benefits of the AV are greater than the financial costs of deployment, which should make someone look good. However as it is not being used properly therefore the company is incurring the costs without the benefits. This financial drain might make someone look bad

The stakeholders all may be the same person, or it could be separate individuals. Either way these are the people you need to reach. As for how to reach them the first rule in dealing with management is to come to them with a solution, not a problem. If you dump the problem on their lap they will send you on your way telling you to come back when you've figured it out, whereas if you come to them with a solution you are much more likely to get what you need. Remember that managers exist to make work for you, they don't want more work to do themselves, so if you go to them with something that will create work for them they will dump it right back on you. Also, doing the work ahead of time shows you understand the problem and will give you more credibility.

So, make a plan to fix the problem. What's it going to take? Money for extra help? A training program? Figure out how you will fix it and how long it will take. Put it into a powerpoint with 3 simple slides and put it in front of the key stakeholders. Get one of them to "Own the problem", as then they are taking responsibility for it getting fixed. Start issuing a monthly report showing AV uptake and distribute it to the stakeholders.

Remember what motivates management: it's not about doing the right thing, it's about visibility. Make the problem visible and make them own it.

Answer 2

This is really about closing the gap between Information Security and Business objectives.

For most security departments today, the battle selling Information Security to the board is the major challenge. Usually, board members don't care about "good security”, they care about "good enough security". InfoSec is rarely clearly defined in most organizations and it has few known standards. Demonstrable return on security investment is, to say the least, elusive.

Your objective is to understand what directors are concerned with and develop a strategy to sell the message that Information Security is critical. A couple points that might help you achieve this:

• Get to know the right persons within your organization. Having friendly discussion with the CFO, CEO or internal audit director could give you excellent insight on how best to approach the board. Also, make sure you have some space for discussing Information Security. These are your opportunities to keep the CEO up to date on your company's major risks and protective measures.

• Keep your CEO updated on laws and regulations that can affect your company. Information protection is now mandatory. Laws, regulations, insurance requirements and shareholder expectations now make information protection a business requirement. Based on your organization's reporting structure, the CEO is the one who will deliver the InfoSec message to the board. You then need to win the heart and mind of your CEO and, hence, the board.

• Be very opportunistic. CEOs are very selective about what they present to the board. You can take advantage of this to put information security on the agenda. For example, a well-publicized computer crime (e.g. the recent Heartbleed vulnerability) is bound to have their attention. You can do the same with incidents within your own organization. Demonstrate that a major computer breach could mean that next quarter's numbers may be considerably lower. You should be very specific and provide numbers estimation.

• Leverage (and try to influence) the work performed by others. The Internal Audit department work is usually very valuable. External audits and security testing services can also help a lot. As an ISP, you might be subject to ISAE audits. Use those to push your needs and concerns to the board. For example, I have recently performed an Information Security Governance audit for a big company. The client was their Internal Audit department, who was informally "hired" to do it by the CSO / Security department in order to move things forward with the board.

• Point out how good Information Security can be a value-add for your company. Strong security can be a selling point. As an ISP, you can surely promote your security posture as a selling point to potential customers.

• Use well-accepted techniques of finance and decision-making processes to justify InfoSec investments. Business executives spend money based on ROI, and may not react well to an approach based on unquantified, albeit very real, fears. It's not always easy -the available solutions often don't lend themselves to a by-the-numbers analysis- but your best shot is to present an objective and quantified estimate of the returns on InfoSec investments.

• Compare to your peers using benchmarks, public reports (e.g. Verizon DBIR, Cisco Annual Security Report) or surveys conducted by well-known companies.

• Having the right organization is also determining. This includes well defined Information Security governance, management and organizational model, reporting functions etc.

The key to your success will rest upon building a strong relationship with your directors through the CEO and other key corporate officers. Emphasize how Information Security is a service that helps business leaders succeed and contributes to productivity, profitability and growth. That's a message to gladden the heart of any board member.

Answer 3

The theory is that you get support by using metrics: you have to put figures, preferably expressed in dollars (or euros or yens) behind security. Managers manage: they take decisions, based on observed situations and goals to reach. These goals are often expressed (at least in part) in financial terms. Therefore, managers will decide to support/fund/enforce usage of security controls (say, an antivirus) based on whether this is worth the effort: the said security measures should, overall, bring in more money than was spent on them.

Since security deals with risks, the metrics must take into account both the probability of occurrence of the feared event, and the involved costs. The cost is multiform; e.g. there are "image costs" which relate to how much the business reputation is damaged, and are notoriously hard to estimate. Then any envisioned security control (e.g. antivirus) must be also estimated, both for its own intrinsic costs (e.g. antivirus license, but also extra sysadmin time, and overhead incurred by incompatibilities between the antivirus and some existing software and/or practices), and in how much it is expected to decrease the probability of attack or the costs implied by an attack.

The master concept here is: numbers. Go quantitative. Managers want figures. If you have to make "fuzzy estimates" (i.e. wild guesses), then produce more numbers: give an estimate as a number and an estimate of the reliability of the previous estimate.

The practice is a bit different, of course. Managers are people, too. They have to decide, but they don't like it. What they would really prefer is that the Chief Information Security Officer comes with a detailed analysis which ends up with a single slide with a binary choice: do this and it will save that many dollars, or don't do it and face the consequences.

Because though managers' mandate is to decide, what they really love to do is to approve or reject. You will get support from managers if you make their life easier, and that involves making all the decision work except the final "yes" or "no" stamp.

Remember that business is everything. Any decision will be taken based on how well a proposed strategy or policy aligns with the organization ultimate goals. These goals vary, but, in many cases, they can be expressed as: "Make money. A lot of.".

Answer 4

(Full disclosure: I build and run software pen-testing and security teams as a sub-function of building security software, and developing software securely. My company is not listed in any of the services recommendations below.)

Should you build a security team or pen-testing team?

While a few responders here have alluded to internal penetration testing, building and maintaining such a team is difficult to impossible for many organizations, particularly smaller companies that are not in the security business. These skills are hard to come by in hiring. If you choose to train internal staff then you bear an increased attrition risk on top of the monetary and opportunity cost of training. The risk is that once the skills are acquired the staff with such skills are in high demand in the industry so most companies experience increased attrition from such personnel because there are plenty of other companies willing to pay top dollar for those skills. (BTW, I do recommend training your staff on security, but not necessarily investing as deeply as what would be needed to "build a pen testing team".)

Hire a 3rd-party so you can focus on your core business.

My recommendation for a company your size would be to enlist the skills of a commercial firm that specializes in penetration testing. This buys you legitimacy in the eyes of your management and executives. Rather than "that security guy over in IT" telling us we need to improve security, it's coming from a company that helps secure the likes of Fortune 1000 companies.

Example pen testing companies include Core Security, Offensive Security, Trustwave, and Cigital -- whose CEO (Gary McGuire) literally "wrote the book" on software security. To avoid confusion, the service you're looking for is called "network penetration testing". (The "network" term distinguishes it from "software penetration testing". This is important because if you do general searches on "penetration testing" you'll find plenty of firms that specialize in testing new software before it's released, which also happens to be called "penetration testing." I personally refer to that aspect of software security testing as "vulnerability analysis", but that would need to be a separate post on the Secure Software Development Lifecycle.)

Don't surprise your executives with a successful breach.

The most important thing is to ensure that someone at the CxO or Board level is informed and involved ahead of time, before the testing starts. (Otherwise you're inviting legal problems since these types of attacks are illegal if the company didn't specifically request them to be performed.)

Pen Testing is a good way to show that real issues exist. A good pen tester will actually breach a system and obtain private data in order to show the severity of the issue. However, how do you generate enough interest to gain the support for pen testing? You can use the following methods to gain support for deploying AntiVirus, for Pen Testing, or for any legitimate work that needs to be done to harden your infrastructure, control your risk, and protect your customers.

How to Generate Support

1. Appeal to the company's natural desire to limit risk and liability, while defending against competitors.

Just a few examples...

a. Company or Executive liability. The CEO and board of directors can be held personally liable if they're shown to have known that a business risk existed and they did nothing to remediate the risk. So, you can leverage this (gently) in your communication. Once they're on board with the need to self-assess, they may even elect to conduct physical pen testing of the company premises. (i.e., Talk your way past the front desk by pretending to be the fire marshall, then during the "fire inspection" install key-logging USB sticks that phone home, on all the machines.)

b. Costs or lost revenue from PCI-DSS. If you receive payments through credit cards, the PCI-DSS "standard" mandates that certain security solutions must be implemented within the business infrastructure. Credit card companies have come up with this as a way of shifting the liability for fraudulent transactions from them, to you (the customer-facing business). If you were to be audited (and I'm dealing with a medium-sized business that's being audited right now), you could be forced to bring in 3rd-party security vendors or managed-service-providers to assess and implement security, all at a much higher cost than you could do on your own, or risk being cut off from processing by Visa, MC, and/or AmEx until you can prove that you've corrected the issues and have paid for an independent audit. You should seek more info on this on your own, as this is a real-world liability that's showing up for more and more businesses.

c. Downtime and revenue-impact from government intervention.
The FBI monitors internet traffic for signs of malware infections phoning home. I've been involved in several instances where the FBI contacted a business and told them that their network was infected. The risk here is that they could confiscate computers or have your backbone drop(s) cut off until the exploited systems were cleaned. Since you're an ISP, if you're colo'd then you may incur costs from the colo facility for them to have personnel onsite to deal with the FBI. If you run your own data-center, then you could see servers or racks disappear or at least be taken offline for some time while forensics are performed. This downtime could be devastating to the business.

d. Competitive Attacks Did you know that your competitors can leverage the services of an attacker-for-hire to DDOS your network to negatively impact your customers? Alternately, they could choose to attempt access to your internal systems in order to acquire sensitive business-roadmap information, or pricing, vendor, or customer lists.

e. Hackers -- aka "Security Researchers" (For the purists our there, yes these are actually called "Crackers", but let's stick with the vernacular for now.) An unprotected network, or insufficiently protected endpoints, could end up being the target (pun intended) of black-hat, grey-hat, or white-hat hackers. In other words, an independent 3rd-party may find a way to breach your systems for fun or profit.

Outcomes could include:

• Company funds stolen through compromised banking login credentials, or directly accessed (owned) internal systems;

• Having to notify your customers that your systems have been breached, and their customer data (passwords, credit-card numbers, etc) has been stolen;

• Having to negotiate ransom payments with attackers to regain access to critical internal systems that they've encrypted in order to lock you out and force you to pay;

• Having to negotiate with "security researchers" to gain sufficient time to patch internal systems or close security holes, before they "go public" with information that they've defeated your perimeter security or layered defense mechanisms. The more aggressive "researchers" may provide proof-of-concept tools or even detailed instructions on how to replicate the attack, so that other researchers may validate their findings (while hackers leverage the newly-disclosed info for an actual attack).

One critical point to add: By taking on the title of "IT Security Manager", you need to be aware that if one of the above outcomes actually occurs, Execs are likely to look to you with the question "how did you let this happen?" In that circumstance, they're unlikely to remember your past proposals requesting their support for security policies and programs.

2. Build awareness.

a. Share security information internally within your company. Create a custom weekly newsletter where you choose security topics most applicable to your business and add your personal analysis of the risk or applicability to your company, along with what users or the company can do for prevention. For realtime sources of information, subscribe to an RSS feed from the security industry experts (Eric Krebs or Bruce Schneier are excellent) or solution-providers (great feeds / blogs include TripWire's "The State Of Security", Symantec's "Threat Intel", Kaspersky's "Securelist", and Google's "Online Security Blog", among many others).

b. Conduct some penetration testing or vulnerability analysis of your own to highlight systems that are vulnerable to attack. I'd recommend picking up a tool that attempts to exploit network vulnerabilities such as Metasploit (great, widely used, but grab a book to guide your way) or Core Impact (expensive). You should also look into pen testing or vulnerability analysis apps that simply flag the presence of vulnerabilities, such as Cenzic Hailstorm (recently acquired by Trustwave, the pen testing company I listed above). The results probably won't surprise you, but will surprise your users when you email them the report of successful attacks against their machine(s).

The aggregate reports and stats from these tests should give you a decent set of intelligent data points to use to influence the managers, users, and executives regarding security technology program. This is also a good start to the discussion and planning for "we should conduct independent / 3rd-party pen tests on a regular basis".

More Info

Additional good sources of info:

CERT: http://www.cert.org/information-for/system-administrators/

NIST (security standards, and security and risk-management frameworks): : http://csrc.nist.gov/

ISO (security standards): (Looks like I don't have enough reputation to post more than two links, so you'll just have to Altavista it ^H^H^H^H I mean Google it. :) )

To answer another one of your questions directly, specifically, "Is there a role/function dedicated to information security and/or information management?":
The security "position", "team", or "role" varies by company and segment. Very large companies may have a CISO (Chief Information Security Officer) and respective org. More frequently I've worked with InfoSec (Information Security, usually as part of the IT org, though sometimes part of Operations or the COO org), and occasionally NetSec and AppSec (Network Security and Applications Security, respectively). Some companies will also split out Incident Response (detecting and responding to attacks or breaches, then conducting post-attack forensics) as a separate operational function. In your role, it sounds like you could benefit by wrapping the InfoSec moniker around your role.

Good luck Akam!

---

[TL;DR?T*B]

Answer 5

• What did you spend last year on incident management?
• What will you spend next year on incident management?
• What will you spend next year on incident management if you proactively deploy countermeasures?

I'd also consult sources like the Verizon Data Breach report to find out the likelihood and cost of incidents at companies like yours.

Answer 6

Your case is similar to mine.

Neither there were a security position nor they took care of security, but after I joined as a system administrator, within a week I had "created" a security position which I took care of.

How did I do that? Instilling fear to management about the consequences of their lack of security controls. Also, this fear was strengthened when I found a web shell on a production server.

Additional Information:

• Organization: Government
• Size: don't know, hundreds or thousands.
• My role: contracted as sysadmin, become security engineer within a week.
• Reporting to: IT Manager, Technical Director.
• Is there a dedicated function for Information Security and/or Information Management? I "created" it.

Answer 7

Though entirely not advisable if not entirely illegal and not recommended, worst-case scenarios wake people up.

Certain large organizations which prioritize internal security do a number of different things to enforce their policies. Arguably the best and most potent things done involve actual authorized (key word) exploits carried out by the security team internally to test systems. This is known as penetration testing or pen-testing for short. With explicit company authorization, other things may be done to test company security not in theory but in actuality.

When these internal, authorized "attacks" are carried out properly and with authorization, the company can test and enforce their security policy in actuality and not just in potential.

Here are a couple dramatized examples of what can be done internally by a security team to raise awareness and encourage a more active involvement in security:

Spam Trap

Bob works for his company on the security team. Bob sets up a system to create spam mail to internal company email addresses. In the spam message, Bob carefully crafts a message bearing the company logo which recommends that all users change their passwords due to a security problem experienced which leaked company member passwords.

A few coworkers ignore the email as is common in the workplace, some don't even receive it as it is bounced to their spam folder, and some users do actually end up changing their passwords, however they do so by manually going to the company website directly.

Sue, however, clicks the link provided in the email. The link takes her to a carefully crafted webpage which looks nearly exactly like the company's main website. Sue proceeds to change her password, providing her current password and a new password. After hitting submit, a page is displayed that the password change request has failed and to try again later.

Bob has a new email in his inbox containing Sue's password from the fake mirror site he set up.

When the above example happens, the company can see whether their policies are upheld by employees properly. When done properly, managers and higher-ups in the company can be notified what happened (preferably without mentioning the name of the employee) and the employee can be privately confronted about the mistake. In this way, both the employee and management learn that the company's security policies are there for a reason. Both parties experience being on the edge-of-disaster, if you will, and feel relief that it was done internally and not externally.

Bob has done his job, the security at the company has been upheld, and both the common person and the higher-ups in the company feel the effects, enhancing the idea of organizational security for all parties.

In this way, security becomes viewed as being something in actuality and not just in potential.

Security Exploits

Alice works in her company's security department. After being notified of a critical vulnerability in the company's database management system, Alice notifies the systems administration team and asks them to fix the issue as soon as possible.

Two weeks later, Alice remembers the exploit and runs an authorized test against the DBMS to determine whether the issue has been patched yet. It is discovered that the issue hasn't been patched yet and that it is still lingering around, open to whomever would exploit it.

With authorization from her superiors, Alice uses the exploit to inject a new row into the users table in the database. She then uses the exploit to retrieve that value. She captures the returned value, and then informs her superiors on the security team.

A meeting is called and the systems administration team is shown the "damage" caused by the exploit in a non-embarrassing way. The systems administration team is thus made aware of the threat in actual terms and management in the company can see the inherent value that the security team provides to the organization.

In this example, it's also apparent how everyone benefits from having an authorized internal party carry out an "attack." Management wins, the security team wins, and the systems administration team sees the importance in keeping on top of patching exploits.

---

TL;DR: Though it's not often possible, having an active pen-testing and social-engineering-testing security team which actively finds and "exploits" security holes in an organization makes security real to an organization.

Answer 8

I was personally speaking with the former chief information security officer of a $5B company last week and he mentioned his strategy to get the other executives to approve funding for security projects.

He would spend a lot of time converting the possible losses into a dollar amount, being careful to show the various components(lawsuits, labor for disaster recovery, brand damage, etc...) - but in a very high level manner.

Then he would essentially say "The potential loss of this vulnerability will cause us $X in damage, but it will only cost us $Y to fix it right now, before it happens. I need you to either approve this funding, or sign off saying you feel this is an acceptable risk".

Answer 9

You need to educate the users. Write for example a prank "virus" and set it free on the PCs that do not use AV. When called in to help, keep asking what data they would have lost if it was a really virus and how much it would cost the company.