Senior management are a challenge for security, so security needs to know how to engage with them.
Speaking at the Bsides London conference on 'handling senior management', security consultant Brian Honan said that rather than become frustrated at management's lack of interest in investment in security, the scenario should be reversed and IT should know how to sell security to the board.
He said: “The management opinion is 'fix it' and yours is 'give me money', but that is not happening. Usually it is 'not you again' or 'go away and leave me alone'. So we are stuck with the same problem and headache.
“Our hands are tied – it feels like having a fight with a hand tied behind your back. Why is that? Is the problem with senior management or with us? Are we doing it the wrong way? We think that management are stupid but this is not the case, they are people who built the internet and are not experts on IP law or data protection so it is up to us to present in a concise way and make issues to present to the board.”
Honan said that it is important to think about how management think and realise that security has its own language; to make sure that management 'hear you right' and don't see technology spend as money down the drain. “Forget about costs, present your business case to the management, tell them that you need to spend and it is not just a new box,” he said.
“Management do not like grey areas. Find out what the business does and align yourself with it, focus on the benefits and what it can bring to the business. Go to the PR and marketing teams and ask them how you can present better. You need to get everyone working together to fix it.”