When it comes to being successful in security, you must master the ability to “sell” what you're doing. You must sell new security initiatives to executive management. You must sell security policies and controls to users. You even have to sell your customers and business partners on what you're doing to minimize information risks. This selling is made up of various components including credibility and self-confidence, direct involvement with the business, and demonstrating the ongoing value of what you're doing.
There's one aspect of selling, however, that's often unknown or forgotten in the interest of expediency – checking boxes and getting things done yesterday – all bad ways to go about doing things in security. The missing link is patience, or the lack thereof. Sales expert Jeffrey Gitomer said that people don't like to be sold but they love to buy. In other words, they don't want things forced on them, but instead, they want to be in control of the decision-making process. When an idea becomes familiar – in a casual manner – it becomes better understood. It's most certainly less threatening. People will only buy into your ideas when they're convinced that you're on their side. There's a little trick you can use when you present new ideas in the process of selling security to others: do it casually for future consideration.
Psychologists say that people need about 72 hours to absorb new ideas. So, regardless of the subject matter or how urgent you think your issue is, an idea that you present casually and indifferently will be considered more and accepted better over the long-term. It seems like a no-brainer but this is something that's rarely put into practice. When it comes to security, everything is urgent: assessments and audits, technical controls, training programs and even policy-related issues. There's always a fire to put out.
Your job as the person in charge of security is to start thinking about how you can slowly get the right people on board with what you're trying to accomplish. Start today sharing your thoughts, ideas, and goals with management. Talk to your users about what you're doing to not only improve security but also make their jobs easier. Plant the seeds. Let things simmer. Whatever you do, don't force security on others. Think long-term. U.S. Navy admiral Hyman Rickover once said “Good ideas are not adopted automatically. They must be driven into practice with courageous patience." Let this approach help drive your security program. You'll not only build better relationships but you'll have a much better chance of getting things done. That's the sign of a true information security leader.