Over the past few months I've discussed security topics with professionals from across America. I keep hearing the same questions: How do we build (or rebuild) the case for improving cybersecurity during this economic downturn? Why aren't more companies (or governments) hiring certified security professionals right now? Why can't my security program get any respect from upper management? Should I just sit back and ride out the recession by waiting? Why doesn't my management get it? Or, getting even more personal, why can't I find a security job?
Bottom line, with all of the ID Theft, fraud and hacker stories, why are they cutting my security budget?
No doubt, much of what is going on is out of our control. Layoffs, furlough days, and salary cuts are common across industries. Most technology and security projects are getting hit hard. Where good ideas used to require a 3-5 year ROI, getting approval for new initiatives may now mean near-real-time cost savings - or at least same year hard savings.
Yes, there are plenty of good answers. Hundreds of articles and white papers have been written over the past few years on return on investment (ROI) for security, the fear, uncertainty and doubt (FUD)-factor, focusing on risk assessments and ways to leverage HIPAA and other compliance efforts. I've used each of these approaches over the years to sell security projects, and we still need to apply similar arguments.
But can we be doing more to improve our chances? More important, should we act differently moving forward?
I think we need to focus on our language. What are the enterprise priorities and the words we say to describe those priorities? Good security execs have learned that they need to be discussing how to enable not disable and offer secure alternatives, but what are we enabling?
I was intrigued by this New York Times blog by Saul Hansell entitled: The Nation's CTO Lays Out His Priorities. Saul had a chance to sit down with Aneesh Chopra recently. Saul describes the key areas that will drive Mr. Chopra's next few years:
I know, Aneesh Chopra is not the President's new Cyber Czar. He's doesn't even mention the word "security" in his four mentioned priorities. But if you read these and say "so what," I suspect that you may need to change your language in describing the benefits of security. Perhaps you should even consider rebuilding your approach to gaining wider executive buy-in.
Gaining the required support for security requires us to use the same words that our most senior leaders use - whether in government or in the private sector. Take another look at the list. The case can be made that cybersecurity is an integral component to each of Aneesh Chopra's stated priorities, but I'll leave that argument to be made on another day.
My point is that we need to rethink the words we use to sell security (or any other technology initiative) in this new environment. Despite their validity, the old arguments for security often fall short today when everyone is cutting. Success usually starts with the right words on the agenda for important meetings with key stakeholders. Use the wrong words, and that urgent threat discussion may never even occur. I'm not talking about spin, but allowing security and risk to be incorporated into hot projects. Focus on their agenda, and you will be more successful.
Most of all, watch your language.
What are your thoughts? Any good war stories about selling security to execs?
I agree that language is key. But before your words even matter, security leaders need quality face-time with the right business executives.
Sadly, that doesn't happen enough.
Post new comment