Dozens of key steps exist for obtaining the buy-in and sponsorship that you need to support your security testing efforts. In this chapter, I describe the ten that I find to be most effective.

Cultivate an Ally and a Sponsor

Although well-known breaches and compliance pressures are pushing things along, selling security to management isn’t something that you want to tackle alone. Get an ally — preferably, your direct manager or someone at that level or higher in the organization. Choose someone who understands the value of security testing as well as information security in general. Although this person may not be able to speak for you directly, he or she can be seen as an unbiased sponsor, giving you more credibility.

Don’t Be a FUDdy-Duddy

Sherlock Holmes said, “It is a capital mistake to theorize before one has data.” To make a good case for information security and the need for proper testing, support your case with relevant data. But don’t blow stuff out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). Business leaders can see right through that tactic. Focus on educating management with practical advice. Discussing rational fears that are proportional to the threat is fine. Just don’t take the Chicken Little route, claiming that the sky is falling all the time. That’s tiring to those outside IT and security, and will only hurt you over the long haul.

Demonstrate That the Organization ...