A lot of times, people don't know what they want until you show it to them.

Steve Jobs

Let's say you've read everything in this book so far, and you feel ready to kick off your security culture program. You understand the moving parts around taking measurements and setting goals, and you have a good idea of the awareness, behavior management, and culture program elements that will be helpful and appropriate for your organization. All that is great, but there is still one critical component missing: buy-in.

For many reasons, gaining and maintaining executive buy-in is often seen as something of a dark art. This is because there is no standard formula that works every time across all organizations. Gaining buy-in is about connecting with other humans, each of whom have their own preferences and priorities, and convincing those humans that your program fits into what they believe is best for the organization and for them personally. In other words, you obtain buy-in by selling. Selling ideas and selling vision.

You Are a Guide

Let's start by acknowledging a sobering truth: Business leaders don't care about security for the sake of security alone.

What they care about is the result that a sound security strategy can provide and the impacts and risks associated with the lack of a sound security ...