2KKUU7ita

Chapter 19: Ten Tips for Getting Upper Management Buy-In
Show Value in Your Efforts
Here’s where the rubber meets the road. If you can demonstrate that what
you’re doing offers business value on an ongoing basis, you can maintain a
good pace and not have to constantly plead to keep your ethical hacking
program going. Keep these points in mind:
✓ Document your involvement in IT and information security, and
create ongoing reports for management regarding the state of security
in the organization. Give management examples of how the organization’s
systems will be secured from attacks.
✓ Outline tangible results as a proof of concept. Show sample vulnerability
assessment reports you’ve run on your systems or from the security
tool vendors.
✓ Treat doubts, concerns, and objections by upper management as
requests for more information. Find the answers and go back armed
and ready to prove your ethical-hacking worthiness.
Be Flexible and Adaptable
Prepare yourself for skepticism and rejection at first. It happens a lot,
especially from upper-level managers such as CFOs and CEOs, who are often
completely disconnected from IT and security in the organization. A middle
management structure that lives to create complexity is a party to the
problem as well.
Don’t get defensive. Security is a long-term process, not a short-term product
or single assessment. Start small — use a limited amount of resources, such
as budget, tools, and time, and then build the program over time.
Studies have found that new ideas presented casually and without pressure
are considered and have a higher rate of acceptance than ideas that are
forced on people under a deadline. Just as with a spouse or colleagues at
work, if you focus on and fine tune your approach — at least as much as you
focus on the content of what you’re going to say — you can often get people
on your side, and in return, get a lot more accomplished.
345