Gaining InfoSec Buy-In

In my experience, the biggest impediment to a high quality information security posture at an organization is not money or well informed InfoSec practitioners. The biggest impediment is getting the front-line workers of an organization to believe in the mission of InfoSec. Rather than waiting for an audit finding or a compliance issue to drive us toward security, we want to get workers thinking and acting secure in their day-to-day behaviors.

In trying to get workers to buy into the mission of InfoSec we have several forces we’re fighting against. We’re battling busyness, status quo, and the certainty of functionality versus the potential of breaches.

Busyness

Time is the most limited of all our resources. Every minute of every day we make a decision about how to spend that moment, and we never get to change that decision. When a worker sits down for the day they have to decide how to spend those 8 hours. Quite a few factors will go into that decision.

1.       What fire is burning hottest right now? What will get people off my back?

2.       What is my boss’s biggest priority? Nobody wants to go into a meeting with their boss and say they’ve been ignoring the boss’s pet project.

3.       What task am I interested in working on? What task has the fun factor going for it?

4.       What is the highest profile work? What’s going to show off the worker as a “go getter” and lead to acknowledgement and advancement?

I’m sure there are many more, but that’s a start. So, which of these answers would encourage an employee to focus on security work?

  • Perhaps number 1 might, if there’s an audit finding or a breach has just taken place. But that’s the wrong way to do security. When a fire is burning it’s too late to fix it right. At that point we need to fix it fast instead.
  • Number 2; this looks like a pretty good entry point for InfoSec. Let’s get bosses talking about security in their departments, and not just as lip service. Bosses need to communicate that information security is a priority, and then ask their employees how security is being implemented. The InfoSec team must work to make security one of the boss’s pet projects.
  • Number 3; every employee has different areas of interest. But we can make security more interesting in how we communicate around it. Invite workers to industry webinars. Email out stories about organizations in your industry being breached or implementing smart new security. By keeping security topics in front of our workers many will start to become interested.
  • Finally, accomplishing high profile work equals recognition, promotions, and raises. What employee wouldn’t prioritize that kind of work? So, let’s make information security high profile work. InfoSec should publicly acknowledge those who are doing a good job with security. Get bosses to include annual performance evaluation items around security. Talk about security achievements at staff meetings. Once it’s known that workers are getting ahead because they practice security, others will follow suit.

The Tyranny of the Status Quo

The basic idea is: the present rules over both the past and the future. What people are doing right now is what they will tend to continue doing. Isaac Newton had it all figured out a long time ago:

“An object in motion tends to remain in motion, and an object at rest tends to remain at rest.”

– Newton’s First Law of Motion

Employees get comfortable in their routines. They will tend to resist change. But the news is not all bad. That also means that once we get people properly considering and implementing security they will tend to continue to be secure. Think of it like getting a heavy item on wheels rolling. That initial shove to get any movement can be a lot of work. Once you’ve got it rolling along it still takes some work to keep going, but not nearly as much.

We must be deliberate in our attempts to overcome the status quo. Confront the phenomenon head on.  Communicate to the workers and their management that we know it’s a departure from what they’re used to, but explain why we need to make the change, and how it will impact their jobs. Be completely upfront about what changes we’re asking them to make, then hold them accountable for making the changes. Being direct, and not beating around the bush, lets people know that this “security thing” can’t be avoided, and won’t just go away if they ignore it.

Once you get the ball rolling… once you have momentum for security within your organization… status quo is working for you. Don’t let up. There may be a tendency to walk out of a very successful meeting on security and think, “Well, we’ve got that taken care of.” But it’s on those successful events that you can most easily build. Follow up with more events and more communication. Don’t let the momentum die.

Instant gratification: Functionality versus Security

Just about any project in life is going to have functional and non-functional requirements. House buyers look for a certain list of items when they buy a new home. They might want 4 bedrooms, 3 bathrooms, and a big yard. Those are functional requirements. What they may not think to ask for is an electrical system that’s built to code so the house doesn’t catch on fire. Or a foundation that’s poured deep enough that the house won’t shift when the top soil starts moving. Those are the non-functional requirements of a house. Functional requirements are what will bring you to look at a house, but if it doesn’t have the non-functional ones as well, the smart buyer won’t even consider the house.

Security is a non-functional requirement. The business does not come up with a new initiative for the sake of its security features. You don’t implement a wireless network so that you can try out the new rogue AP detection systems, or the captive portal technology. You implement wireless so that you can connect a system remotely and conveniently, for the functionality.

This truism is another reason that workers don’t focus on security. And this fact is simply not going to be something you can change. What you can do is drill into the decision makers that security is an essential part of quality. If the story of the car manufacturers from the last couple decades has told us anything, it’s that quality is just as important as functionality. Functionality gets eyes on your product, but quality gets and keeps buyers.

Start a campaign of information. Give specific metrics on how a lack of security is degrading the quality of your products. Come up with recurring stats to show that the issue won’t simply go away. Get leadership’s buy-in and things will trickle down in the organization.

An engaged workforce

Getting workers to buy into information security is not a binary function. There probably will not be a magic moment where a large group of workers go from indifferent to passionate about security. Get the support of management. Work first on converting those who seem to want to be converted. Be friendly and listen to the ideas of everyone.

The goal is an organization with workers who are focused on information security across all departments. Sitting in the CISO’s office coming up with great ideas for security with a few InfoSec members will never be enough. We need employees from every discipline thinking of security as a crucial part of the quality of their work.

Connect with

Advertisements

4 thoughts on “Gaining InfoSec Buy-In

  1. Very good article. I completely agree with you.

    You were right about Newton, but, the biggest motivator/problem is the WHY. Many security people know why, but not all of them.
    I don’t generalize, but I saw security managers who don’t understand the current attacks, they don’t understand how easy is to do exploitation… -> they don’t get the WHY. This is the root cause of many problems.

    After studying more about penetration testing I became more aware (paranoid for some people). So, in my opinion, education is a key component.

    Also, there are different mentalities in a company. I recommend you to read the series of articles about the different types of employees, the first one being :
    http://www.ribbonfarm.com/2009/10/07/the-gervais-principle-or-the-office-according-to-the-office/
    I am sure that you’ll like them.

    It is very difficult to work with both types: ‘losers’ and ‘clueless’, and different strategies should be used. If you want we can discuss about this.

  2. Great article! Creating a security minded culture in an organization is no easy task but it’s possible.But I think creating that mindset in senior management is probably the most important factor. Once management is able to buy-in then I would go after the every day users.

  3. Lucian, That was definitely an interesting read. I was unfamiliar with The Organizational Man, and enjoyed learning about it. And I’m an Office fan, so the examples were entertaining.

    Basically, the two groups are going to require different motivations. The ‘losers’ group (I really don’t find that title appropriate, if what they are doing makes them a loser, than so is anyone who buys insurance. Sure, in the big picture it’s a bad investment, but tell that to the guy who lost his house in a fire with no insurance) and ‘clueless’ group (I think I’d rather call them ‘company men’) will need different motivations.

    Losers: The items I listed above will work pretty well for this group. In order for them to continue with their arrangement with the company, they need to meet certain minimums. Security can be inserted into those minimums. It can be done as listed above.

    Clueless: For this group the motivation should actually be easier, but starkly different. We’ll need to spend time explaining the WHY of implementing security. If we accept that middle management (and they really are the ones who need to do the leg work for us in getting security practices pushed down to all layers) are part of this group, then this is the most important way to evangelize security at our leadership meetings. Talk about the potential financial impacts on the company of a security breach, talk about the marketing benefits of increased security, the compliance requirements, and best of all, talk about how it’s the RIGHT THING TO DO.

    Anyway, I appreciate your feedback on this, and really enjoyed reading that article you linked. Are there others in the series? I didn’t see anything as I briefly looked through the site.

    Feel free to reply here or we can chat via email if you prefer.

    -Robb

  4. Marcus,

    Thank you very much for your feedback. As you said, getting senior management on-board is the key first step. A company culture really does start at the top. If you can convince your CEO to stress security regularly at his direct reports meetings, you can bet that you will start to see that discussion filter down to the rest of the company. And fast.

    -Robb

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s