Looking to obtain management support! It’s not always easy. Many organizations security officers are always looking to obtain more management support and funding for their programs. This can be a difficult task, so what I have done below is list a few perspectives that work within different organizations.
Compliance – The number one way to get management support is from compliance regulations such as GLBA, HIPAA, SOX, and PCI. If management doesn’t already know what they need to do then educate them and you will get support and funding to implement parts of the program.
Third Party Review – This can be as simple as doing a risk assessment or by hiring skilled ethical hackers to show weakness in the organizations information systems. The main point is that management tends to listen more to third parties then internal security staff. Sometimes there is nothing new that comes out of these assessments that the CISO/CSO doesn’t already know. However, third parties have a different presentation and reputation that give them credibility.
Return on Security Investment – For more mature programs, whereas security devices and security testing are integrated into the daily process, return on security investment is the best motivator for management to provide additional support to the program. Metrics must be measured in these organizations and statistics must be gathered constantly. Metrics should be measured to show that particular practices such as doing a code review will actually save the company money vs. the current application testing process used within the organization. Statistics from industry studies must be presented to management providing solid proof that particular security practices will actually save more money over time.
The Proposed Program – For newer security programs, whereas a CISO/CSO has recently been assigned (yes these organizations still do exist) and the security team is very small, a formal proposal and plan must be presented to management. In this situation, the newly appointed CISO has a difficult job especially if the individual does not have an information security background. A detailed plan must be developed and this plan must include education for management about the need for security. The plan needs to explain in detail both short and long term plans for implementing different security controls based on risk assessment. The key to implementing the plan is to bundle security with other ongoing and new projects. It is much easier to take a little money here and there vs. asking for the entire budget. Also, adding to each project will be beneficial later because you have already started integrating security with the different practices already in place.