Why Management Still Doesn’t Get Web Security

why-management-still-doesnt-get-web-securityHaving worked in IT for nearly two and a half decades, I’ve certainly seen my share of blame and abuse thrown the way of IT. Whether the network is down or the application is unavailable, people immediately assume that whatever IT did broke it, even if IT was totally disconnected from the situation.

What many people outside of IT don’t understand is that many issues are beyond IT’s control. Be it external factors such as cloud providers not living up to their SLAs or internal factors such as management not providing even budget for that needed upgrade, there’s more to IT than just some propeller-head techie being careless.

That said when it comes to people “getting” IT and, specifically web security, one thing is certain: IT professionals are just as much to blame as anyone. Sure, management doesn’t get you. But have you ever stopped to think about the way you’re approaching web security may be the reason why? It’s like yelling at a child telling them not to do something. They might listen in the moment but they don’t really “hear” what you’re trying to say and they’ll keep repeating the same behavior. Your approach has everything to do with it.

If you believe your message is too technical for management to understand, it’s not management’s fault. You need to figure out a way to tone down the geek speak.

If you keep preaching to the choir (your peers in IT) rather than focusing on those people who really need to hear your message (management)

If you approach management in an expedient fashion trying to force them into seeing things your way with web security without regard for their needs, you’ll set yourself up for failure every time. I’ve heard (and experienced through the relationship with my wife!) that people typically need about 72 hours for new ideas to sink in.

Marketing guru Lester Wunderman said “The most dangerous question a prospect or customer asks is “Why should I?” And he may ask it more than once… The product and its communication stream must continue to provide him with both rational and emotional answers.” This is a perfect summation of what you must focus on.

Step back and take your time. Build positive relationships with the people who can help you out. Once management sees that you’re not trying to hustle or swindle them – that there’s value for the business in what you’re proposing – odds are good that they’ll eventually get on board with web security and give you the support you need.

Never ever forget that communication, sales, and overall people skills are every bit as important to your web security success as any hacking skills you’ll develop. Of course, you need to acquire your technical skills and keep them sharp over time, but you cannot afford to your guard down and ignore the seemingly uncool stuff. Whether you do or you don’t, management will surely notice.

Share this post
Kevin Beaver

Kevin is an information security consultant with 30 years experience, providing independent security assessments and penetration tests, security consulting and virtual CISO services, writing and security content development, and speaking engagements keynotes, panel discussions, and webinars.
  • The irony of what you describe is that the IT folks are usually right with their recommendations. However, being right doesn’t matter if those with the power to make decisions don’t see a reason to implement the suggestions. The powers that be care about risk to their business or mission. They typically measure that risk in dollars lost or dollars spent. Unless IT folks become skilled at translating technical capabilities into business value, their message will fall on deaf ears.

    If they can find a way to show their leadership the relationship between the potential information security threats and the impact these threats could have on their business (e.g., BIA, Compliance Audits) in dollars and cents, their leadership will stand up and take notice. What seems to be missing is a way to aggregate the different pools of information in such a way that such a picture can be easily painted.

  • “Unless IT folks become skilled at translating technical capabilities into business value, their message will fall on deaf ears.” Love it Gerry! Spot on.

  • Leave a Reply

    Your email address will not be published.