Selling Information Security to the Board

Selling Information Security to the Board: A Primer

ALAN CALDER
Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 64
https://www.jstor.org/stable/j.ctt5hh3tg
  • Cite this Item
  • Book Info
    Selling Information Security to the Board
    Book Description:

    Persuading the board to invest in information security measures requires sales skills. As an information security professional, you are a scientific and technical specialist; and yet you need to get your message across to people whose primary interests lie elsewhere, in turnover and overall performance. In other words, you need to develop sales and marketing skills. This pocket guide will help you with the essential sales skills that persuade company directors to commit money and resources to your information security initiatives.

    eISBN: 978-1-84928-054-9
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. PREFACE
    (pp. 5-5)
  3. ABOUT THE AUTHOR
    (pp. 6-6)
  4. ACKNOWLEDGEMENTS
    (pp. 7-7)
  5. Table of Contents
    (pp. 8-8)
  6. INTRODUCTION
    (pp. 9-11)

    C-suite IT and information security executives have usually attained their responsible positions by being good at the technical aspects of their functions. Their background, schooling and higher education are mostly in science or technology disciplines. They understand information technology, they’re usually up to date with the latest threat developments, trends and risks, and they know their way around the network infrastructure. They may have a good understanding of IT-related best practice frameworks, such as ITIL, COBIT, PRINCE2 and ISO27001. They understand information risk.

    Boards, however, across most business sectors, are mainly made up of people drawn from a wider educational...

  7. CHAPTER 1: THE SALES PROCESS
    (pp. 12-13)

    ‘Sales’ are a process. A process has inputs and outputs and proceeds according to certain predefined steps.

    The input into the ‘Selling Information Security to the Board’ process is a collection of raw information about one or more specific issues and a proposed course of action in relation to those issues. The identified issue could be as broad as ‘inadequate information security across the whole organisation’ or as narrow as ‘our financial results might leak before they are officially released’. The desired output from the process is a decision, by top management, to commit time, money and resources to implementing...

  8. CHAPTER 2: SALES BASICS
    (pp. 14-16)

    The three basic sales concepts that any information security professional needs to understand are:

    1 NeedsversusWants

    2 FeaturesversusBenefits

    3 AIDA.

    ‘Want’ can be defined as ‘having a strong desire for something’, whereas ‘need’ is usually understood as being ‘a lack of something basic or fundamental that is necessary for continuation’. ‘Need’ is most commonly understood in the context of an individual’s shortage of food, accommodation or healthcare.

    The salesperson needs to differentiate between these two human drivers. People often do things they need to do, even if there is something else they want to do instead:...

  9. CHAPTER 3: SELF-PREPARATION: UNDERSTAND THE BUSINESS
    (pp. 17-19)

    As I said in my introduction, top management are primarily interested in what makes the business work, not in the technology that underpins it. The attention span of individual senior managers can be short and, if their attention is not caught by an issue, they move on to something else without even getting interested in the subject. And if you talk to them in a language they don’t understand, you won’t even capture their attention.

    ‘Techtalk’ is a language the Board doesn’t understand. Security layers, protocols, OSes (operating systems), petabytes, virtualisation and TLAs (three letter acronyms) all leave the Board...

  10. CHAPTER 4: SELF-PREPARATION: SOFT SKILLS
    (pp. 20-23)

    ‘People buy people first, and everything else second.’

    Good sales people recognise this instinctively. Poor sales people are smarmy, incongruent or irritating. Non-sales people don’t even try.

    So, what sort of people do people buy? The answer is that ‘people like people like themselves’. Most people recognise the broad truth of this statement: their friends have similar interests and lifestyles. Most people marry within their culture, social class, religion and racial background. People are just more comfortable with people like themselves.

    Your senior management, however, are not necessarily people like you; they may not feel comfortable with you and, if...

  11. CHAPTER 5: SELF-PREPARATION: BE CREDIBLE
    (pp. 24-27)

    As an information security leader inside your organisation, you have a unique opportunity to establish yourself with senior management in a way that is not open to any outsider.

    Management will always listen to their trusted advisers. They won’t always follow their advice, but they will usually pay attention when they raise an issue, and will usually be interested to find out why they need to do something about it.

    The trusted adviser, in other words, will almost always get through the first two stages in the AIDA sequence by default.

    How does the information security professional become a trusted...

  12. CHAPTER 6: SELF-PREPARATION: BUILD A TRACK RECORD
    (pp. 28-31)

    All information security practitioners know, intellectually, that confidentiality, integrity and availability (C, I and A) are the three key principles of information security management. However, most practitioners actually concentrate more, in their day-to-day environments, on protecting confidentiality and integrity. The concept of ‘security’ doesn’t seem to contain the idea of availability.

    However, to the business manager, ‘availability’ is the most important attribute of information. Line managers want to be sure that they, and their people, can access the information they need to do their job, as and when they need it. This business desire for availability often clashes with the...

  13. CHAPTER 7: DEVELOP AN ALLY
    (pp. 32-34)

    ‘Sales’ is a transaction: on one side is a seller (you) and on the other is a buyer (the Board). The Board, however, is not an individual – it is a collection of individuals and, in order to sell to a group, you have to understand something about how groups make decisions, and in particular, how your Board works.

    Unless you are already a member of the Board, or of the senior management group, you’re unlikely to have much of an insight as to how decision making works. You need to know, for instance, if your Board’s decision making is...

  14. CHAPTER 8: WHAT MOTIVATES MANAGERS?
    (pp. 35-38)

    Officially, managers in the private sector are motivated by their obligation to maximise the return on capital invested in the organisation by shareholders; in the public sector, by a sense of public duty; and in the third or voluntary sector, by a commitment to the cause of their members.

    In those (mostly) smaller organisations in which management still holds the largest percentage of the shares (i.e. well over 50%), what management wants is usually in line with what the shareholders want. This is not always the case in larger organisations, where management is, in effect, the agent of the shareholders....

  15. CHAPTER 9: PLEASURE AND PAIN
    (pp. 39-41)

    Most individual managers are driven by a combination of the desire to experience pleasure and a determination to avoid pain. In the corporate world, pleasure usually materialises as salary increases, bonuses and stock options, while pain is expressed by demotion, public humiliation and possible jail time.

    In the experience of most technologists, senior managers and Board members have the attention spans of gnats; unless an issue is directly related to improving either the top line (revenue) or the bottom line (profit before tax, or EBITDA⁴, or whatever particular number is your company’s obsession), they pay it only the briefest of...

  16. CHAPTER 10: LEVERAGING REGULATORY COMPLIANCE
    (pp. 42-45)

    A well-prepared, well-organised, trusted adviser is likely to gain an audience from senior managers to talk through proposals for enabling the organisation to outperform its competitors, while removing non-compliance risk to the bottom line.

    Identify a relevant law or regulation that has IT-related compliance requirements: the UK’s Data Protection Act (‘DPA’), HIPAA and GLBA in the United States, PIPEDA in Canada, and so on. Identify the gaps between your current actual practice and what the law requires you to do, focusing on the bigger issues, the areas of non-compliance which are likely to trigger the bigger problems. Under the UK’s...

  17. CHAPTER 11: LEVERAGING ISO27001
    (pp. 46-48)

    The International Standard for best practice in information security management is ISO/IEC 27001. This Standard provides a detailed specification for how an organisation should select information security controls, on the basis of a risk assessment, to counter threats to the confidentiality, integrity and availability of the organisation’s information assets.

    The Standard is written to be technology neutral and sector agnostic; it is as applicable to large organisations as to small, and to the private sector, the public sector and the third, or voluntary, sector. Any organisation that complies with the Standard can have its management system audited by an accredited...

  18. CHAPTER 12: INFORMATION SECURITY GOVERNANCE
    (pp. 49-56)

    This is a much harder sell but, if the Board can be brought to understand that it has a governance responsibility in respect of information security, you will have made the task of selling future information security investment proposals that much easier for yourself.

    Here’s the argument:

    The availability, integrity and confidentiality of its data are fundamental to the long-term survival of any 21st Century organisation. Unless the organisation takes a top down, comprehensive and systematic approach to protecting its information, it will be vulnerable to a wide range of threats, ranging from cybercrime and cyberterrorism, data leakage and insider...

  19. CHAPTER 13: THE PROPOSAL
    (pp. 57-58)

    Your organisation is likely to have a standard format for making formal proposals for capital expenditure for project approval. You’ll probably want to follow the standard format.

    We’ve already dealt with the importance of spelling, grammar and syntax.

    There are a number of key elements to any potentially successful proposal that you’ll want to ensure yours has. (If your organisation’s standard proposal doesn’t include these elements, you may want to add them in.) The first, and most important, is the executive summary. The executive summary appears at the top of the first page. It contains a concise, clear summary of...

  20. CHAPTER 14: HANDLING OBJECTIONS
    (pp. 59-60)

    The questions and objections phase is a critical phase in any sales process. It’s a good phase. You only get objections if your audience has paid a bit of attention and thought a bit about the issues you’ve raised. So, you should like objections just as much as you like questions. Do not feel or display defensiveness at this point. Welcome questions and objections: they give you the opportunity to better explain areas that your audience may not have fully understood yet.

    There is an important technique to handling questions effectively, and that is to ‘ask the question back’, just...

  21. CHAPTER 15: DELIVERANCE
    (pp. 61-61)

    As soon as you have authorisation to proceed, you get to work.

    Communication is at the heart of delivery, where the Board is concerned. You want to give the Board a regular progress report – what’s gone well, what hasn’t (keeping it simple and short, of course) and providing measurements that indicate the success of the project.

    Approval, authorisation to proceed, is just the first step. A crucial step, yes, but actual delivery – on time, on budget and to specification – is even more important. It’s how you demonstrate that the Board was right to trust you – and...

  22. ITG RESOURCES
    (pp. 62-64)