why-management-still-doesnt-get-web-securityHaving worked in IT for nearly two and a half decades, I’ve certainly seen my share of blame and abuse thrown the way of IT. Whether the network is down or the application is unavailable, people immediately assume that whatever IT did broke it, even if IT was totally disconnected from the situation.

What many people outside of IT don’t understand is that many issues are beyond IT’s control. Be it external factors such as cloud providers not living up to their SLAs or internal factors such as management not providing even budget for that needed upgrade, there’s more to IT than just some propeller-head techie being careless.

That said when it comes to people “getting” IT and, specifically web security, one thing is certain: IT professionals are just as much to blame as anyone. Sure, management doesn’t get you. But have you ever stopped to think about the way you’re approaching web security may be the reason why? It’s like yelling at a child telling them not to do something. They might listen in the moment but they don’t really “hear” what you’re trying to say and they’ll keep repeating the same behavior. Your approach has everything to do with it.

If you believe your message is too technical for management to understand, it’s not management’s fault. You need to figure out a way to tone down the geek speak.

If you keep preaching to the choir (your peers in IT) rather than focusing on those people who really need to hear your message (management)

If you approach management in an expedient fashion trying to force them into seeing things your way with web security without regard for their needs, you’ll set yourself up for failure every time. I’ve heard (and experienced through the relationship with my wife!) that people typically need about 72 hours for new ideas to sink in.

Marketing guru Lester Wunderman said “The most dangerous question a prospect or customer asks is “Why should I?” And he may ask it more than once… The product and its communication stream must continue to provide him with both rational and emotional answers.” This is a perfect summation of what you must focus on.

Step back and take your time. Build positive relationships with the people who can help you out. Once management sees that you’re not trying to hustle or swindle them – that there’s value for the business in what you’re proposing – odds are good that they’ll eventually get on board with web security and give you the support you need.

Never ever forget that communication, sales, and overall people skills are every bit as important to your web security success as any hacking skills you’ll develop. Of course, you need to acquire your technical skills and keep them sharp over time, but you cannot afford to your guard down and ignore the seemingly uncool stuff. Whether you do or you don’t, management will surely notice.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.