It's a well-known fact: Network security is a thankless job where success breeds anonymity. The more successful you are, the fewer incidents you have to report and the fewer opportunities you have to interact with upper management and gain respect from the business side of the house.
Plus, perfect performance is the expectation, says Mike Phillips, CIO and vice president of IT at Texas Tech University Health Sciences Center in Lubbock. "Security has risen to virtually an entitlement with folks, and they don't necessarily appreciate or concern themselves with what goes on behind the walls to make it happen," he says. "It's not an area where success leads to respect."
However, success quickly can lead to failure. Lack of awareness means difficulties funding critical security projects and, eventually, problems keeping the company secure. It's a vicious cycle, but one you can break by taking a few simple steps to keep yourself and your organization's security needs uppermost in top management's minds.
1. Get a dialogue going.
"It follows that if upper management hasn't heard from you and has no idea what you do, it'll tend to resist giving you more money to do it," says Steve Crutchley, founder of 4FrontSecurity Inc., a consulting firm.
Users agree. "You need to develop a collaborative relationship with the business side," Phillips says. "Tell what you're doing, and more importantly, ask how you can help them help the business."
Brian McEvoy, systems organization manager for PLM Solutions, an EDS line of business in Cypress, Calif., has put procedures in place to do just that. "I meet with key users in sales and development if we're contemplating a security change," he says. "I tell them what I'm planning and ask their advice. They communicate with their downstream people, get the feedback, and we discuss it and make it happen."
This process worked well when the Bugbear virus appeared in the fall, McEvoy says.
To combat Bugbear, McEvoy wanted to push out Microsoft Internet Explorer 6 to everyone. But upon contacting his advisers on the business side, one came back immediately and said Internet Explorer 6 presented a problem because the company was using a product that had not been certified for that version of the browser. "They asked us to hang on until they got it certified. Those guys scrambled, got it certified within two days, and then we did [the upgrade]," he says. "They appreciated the heads-up, I appreciated the feedback, and we avoided some problems."
2. Make security a service.
Crutchley says management tends to view security as "a grudge spend," something it has to pay for without really understanding why. Security professionals sometimes underscore this perception by issuing edicts and policies without fully explaining the need or the business impact.
"Some security guys just sit in their ivory towers and dictate policy and direction for the organization," Phillips agrees. "That doesn't work. Organizations are built on trust and credibility, and security is no different."
Business has to view security as a service, just like human resources or accounting, McEvoy says. "We've worked hard over the years to project that image. Rather than coming in as Big Brother, we come in and explain, You're going to get hurt if your machine is infected, and you're going to be embarrassed. So here are some tools we can give you to protect yourself.' Once they see you as a partner, it works out," he says.
3. Do the math.
Security professionals need to set needs and expectations in terms that business users understand, McEvoy adds. This means analyzing risk and return, not just in technical terms, but in dollars and cents.
"We sit down together with the bean counters and assess risk," he says. "Say it's going to cost us US$200,000 to get this security product in place. We weigh that cost against the risk and make the decision based on both financial and technical risk. It's simple math. Here are the risks, here is the probability, multiply one by the other and you come up with a number. There's no arguing with that."
4. Show return on investment.
Management also has to be able to see what it's paying for, McEvoy says. A good way is with executive-level reports, many of which security tools generate.
"We send weekly reports to upper management to let them know that over the past week, we've blocked so many viruses or stopped so many intrusions," he says. "It makes security more concrete and shows them exactly where all that money has gone."
It also shows that all has not been quiet on the security front just because no disasters have occurred. "On the contrary, it underscores the fact that we haven't had to waste money or lose productivity," McEvoy adds.
Because he's followed these steps, McEvoy says he seldom faces resistance to security spending and gets respect from his business peers and top managers.
"I'm putting in a request now for maintenance payments on one of our security products," he says. "I anticipate gasps and gulps, but I don't anticipate not getting it pushed through because we have a track record to show what it's doing. They know their money isn't just going into a black hole."