As an information security leader inside your
organisation, you have a unique opportunity to
establish yourself with senior management in a
way that is not open to any outsider.
Management will always listen to their trusted
advisers. They wont always follow their advice,
but they will usually pay attention when they raise
an issue, and will usually be interested to find out
why they need to do something about it.
The trusted adviser, in other words, will almost
always get through the first two stages in the
AIDA sequence by default.
How does the information security professional
become a trusted adviser?
A basic facility with business language, together
with the requisite soft skills, is the foundation on
which an information security professional builds
a career track record of being right more often than
not, of under-promising and over-delivering, and
of consistently aligning information security
strategies with business objectives and the
corporate risk appetite.
The Boy Who Cried Wolf should be an instructional
story for many information security professionals:
se who identify threats in every technological
development or who always find some new risk to
get in the way of taking action today, are playing
to senior managements prejudices about what
information security people really do. People who
5: Self-Preparation: Be Credible
find reasons not to do something are very quickly
identified, by management, as barriers to progress.
They are not trusted advisers.
Do not peddle FUD Fear, Uncertainty, Doubt
(or Disaster). You might successfully sell
something to your management once by creating
fear, uncertainty and doubt in their minds but,
unless the threat about which you frightened them
actually comes into existence, and your proposed
solution does actually protect the organisation
from calamity, youre unlikely to succeed a second
time. Most management teams focus on progress,
rather than on barriers to progress. If you focus on
barriers to progress, you are likely to become
increasingly unable to secure the information
security investment you believe the business needs
but, conversely, you are guaranteed to find
yourself on the receiving end of managements ire
when something bad does actually happen.
So, dont spend your days crying Wolf!’. Instead,
concentrate on finding solutions to real business
problems, maximising return on the investment
that has already been made in information
security, ensuring that projects move quickly and
efficiently to a conclusion and, above all, that
users are able to access the information and
technology resources they need, as and when they
need them. Helping senior managers achieve their
own objectives helps you develop potentially
important future allies.
At the heart of a trusted advisers role is a
consistent commitment to tell it how it is. By
this, I do not mean that you should just speak
your mind, because balance, perspective,
5: Self-Preparation: Be Credible
judgement and pragmatism are the human qualities
that underpin someones ability to provide advice
that will be valued.
All information security solutions have their pros
and cons; you have to present both, balance one
against the other, and explain how you arrive at
your judgement that it is, on balance’, better to
proceed or not to proceed. Develop an internal
reputation for providing a balanced explanation of
the business benefits to be derived from deploying
a particular solution, together with clarity about
the real costs (and we should be talking Total Cost
of Ownership ‘TCOand not just the purchase
or initial investment cost) and possible disruption
caused by the deployment, and a clear exposition
of the return that the organisation might expect to
make on this investment.
Credibility is particularly important around IT-
related regulation. Regulatory compliance is an
increasingly big challenge for the IT leader: data
protection, privacy, PCI DSS, SOX, HIPAA and
computer misuse, are just some of the legal areas
that impact the IT organisation. A compliance
failure may have a negative impact on the
organisation: cost of remediation, restitution,
brand damage, fines, class action suits and so on.
However, the consequences of non-compliance
vary between laws, and the steps between
identification of a compliance breach and action
against the organisation vary from law to law. It is
important to understand how enforcement actually
works and to include this knowledge in how you
explain the compliance aspects of a proposal to the

Get Selling Information Security to the Board: A Primer now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.