Lee Brotherston, director of security at IoT startup ecobee and all-around security ninja, joined us on our latest episode of Security Nation to discuss what it takes to get buy-in from the top and his experiences introducing security into newer companies. Here’s a blueprint for getting sufficient support from the corner offices.
Take it from the top
The first step toward getting a glowing C-suite endorsement for your security endeavors is simply to understand why you don’t already have it. As Lee points out, it probably has less to do with the message you’re trying to convey and more to do with how you’re presenting it.
Think about it this way. Suppose you had a knock at your door and found a neatly kept gentleman on your porch who begins to explain that he’s an insecticide expert, and your prized willow tree in your backyard is in danger. With an impressive use of very technical terms, he informs you of the growing threat from some exotic insect that could potentially destroy your cherished tree.
Do you buy what he’s selling? You’ve never seen these insects, you can’t even pronounce their name, and you certainly didn’t understand half the technical jargon that came out of his mouth. All you want to do is enjoy your hammock underneath the tree’s giant limbs. After all, they seem healthy enough and still provide plenty of shade!
It’s no different when the subject of security comes up in a group of executives. What you’re selling is important and does impact what they hold near and dear to their hearts, but that’s not what they’re going to hear.
The main issue? Your message is coming from the perspective of someone who lives and breathes security. Unless your leadership team is full of former CISOs, their business priorities—and associated vocabulary—are likely different enough to mean something gets lost in translation.
How to get the message across
So, how do you learn to speak the same language as your audience? Lee is the first to admit it’s never easy, but with that said, he does have a few tricks up his sleeve:
1. Change your perspective
First, you should find a new point of view. Taking a business approach to discussions about security means you’re using the same language your audience is likely to speak. Instead of coming to the table with a toolbox full of technical protocols and policies you’re ready to implement, be relatable above all else and focus on the visible aspects that drive real benefit.
2. Showcase the benefit they want to see
Before getting buy-in from the C-suite, ask yourself what’s at the top of their priority list every morning, then find visible ties from these important assets to actionable security deliverables. Whether that is protecting intellectual property or safeguarding uptime and availability, Lee said he sees the value in going for the “quick win.” Don’t worry, the rest will follow.
3. Be an enabler, not an enforcer
Finally, resist the temptation to enforce your own security philosophy. Such tactics only serve to reinforce between their world and yours. Instead, purpose your efforts toward enabling.
For example, rather than coming out of left field with a plan for moving company web apps to HTTPS, spend some time demonstrating the vulnerabilities of HTTP and how to spot insecure sites in the real world. This serves two functions: enabling safer internet habits, and instilling a relatable appreciation for the security measures you plan to implement. In other words? Buy-in.
To sum things up, getting your bosses on board for your grand security plans doesn’t require inhuman levels of diplomatic mastery. On the contrary, all that’s needed is a bit of insight and perspective. With the help of Lee’s advice, you’ll find yourself in a much better position to garner buy-in and champion the change you want to see.
Want to hear more of what Lee has to say? Listen to our podcast, “How to Start a Security Program from Scratch Without Your Initiatives Getting Cut” below, and be sure to subscribe for more episodes like this!