Getting Buy-In for Information Security

Monday, January 24, 2011

Robb Reck


In my experience, the biggest impediment to a high quality information security posture at an organization is not money or well informed InfoSec practitioners.

The biggest impediment is getting the frontline workers of an organization to believe in the mission of InfoSec. Rather than waiting for an audit finding or a compliance issue to drive us toward security, we want to get workers thinking and acting secure in their day-to-day behaviors.

In trying to get workers to buy into the mission of InfoSec we have several forces we're fighting against. We're battling busyness, status quo, and the certainty of functionality versus the potential of breaches.


Time is the most limited of all our resources. Every minute of every day we make a decision about how to spend that moment, and we never get to change that decision. When a worker sits down for the day they have to decide how to spend those 8 hours. Quite a few factors will go into that decision.

1.  What fire is burning hottest right now? What will get people off my back?

2.  What is my boss's biggest priority? Nobody wants to go into a meeting with their boss and say they've been ignoring the boss's pet project.

3.  What task am I interested in working on? What task has the fun factor going for it?

4.  What is the highest profile work? What's going to show off the worker as a "go getter" and lead to acknowledgment and advancement?

I'm sure there are many more, but that's a start. So, which of these answers would encourage an employee to focus on security work?

  • Perhaps number 1 might, if there's an audit finding or a breach has just taken place. But that's the wrong way to do security. When a fire is burning it's too late to fix it right. At that point we need to fix it fast instead.
  • Number 2; this looks like a pretty good entry point for InfoSec. Let's get bosses talking about security in their departments, and not just as lip service. Bosses need to communicate that information security is a priority, and then ask their employees how security is being implemented. The InfoSec team must work to make security one of the boss's pet projects.
  • Number 3; every employee has different areas of interest. But we can make security more interesting in how we communicate around it. Invite workers to industry webinars. Email out stories about organizations in your industry being breached or implementing smart new security. By keeping security topics in front of our workers many will start to become interested.
  • Finally, accomplishing high profile work equals recognition, promotions, and raises. What employee wouldn't prioritize that kind of work? So, let's make information security high profile work. InfoSec should publicly acknowledge those who are doing a good job with security. Get bosses to include annual performance evaluation items around security. Talk about security achievements at staff meetings. Once it's known that workers are getting ahead because they practice security, others will follow suit.

The Tyranny of the Status Quo

The basic idea is: the present rules over both the past and the future. What people are doing right now is what they will tend to continue doing. Isaac Newton had it all figured out a long time ago:

"An object in motion tends to remain in motion, and an object at rest tends to remain at rest." - Newton's First Law of Motion

Employees get comfortable in their routines. They will tend to resist change. But the news is not all bad. That also means that once we get people properly considering and implementing security they will tend to continue to be secure. Think of it like getting a heavy item on wheels rolling. That initial shove to get any movement can be a lot of work. Once you've got it rolling along it still takes some work to keep going, but not nearly as much.

We must be deliberate in our attempts to overcome the status quo. Confront the phenomenon head on.  Communicate to the workers and their management that we know it's a departure from what they're used to, but explain why we need to make the change, and how it will impact their jobs. Be completely upfront about what changes we're asking them to make, then hold them accountable for making the changes. Being direct, and not beating around the bush, lets people know that this "security thing" can't be avoided, and won't just go away if they ignore it.

Once you get the ball rolling... once you have momentum for security within your organization... status quo is working for you. Don't let up. There may be a tendency to walk out of a very successful meeting on security and think, "Well, we've got that taken care of." But it's on those successful events that you can most easily build. Follow up with more events and more communication. Don't let the momentum die.

Instant gratification: Functionality versus Security

Just about any project in life is going to have functional and non-functional requirements. House buyers look for a certain list of items when they buy a new home. They might want 4 bedrooms, 3 bathrooms, and a big yard. Those are functional requirements. What they may not think to ask for is an electrical system that's built to code so the house doesn't catch on fire. Or a foundation that's poured deep enough that the house won't shift when the top soil starts moving. Those are the non-functional requirements of a house. Functional requirements are what will bring you to look at a house, but if it doesn't have the non-functional ones as well, the smart buyer won't even consider the house.

Security is a non-functional requirement. The business does not come up with a new initiative for the sake of its security features. You don't implement a wireless network so that you can try out the new rogue AP detection systems, or the captive portal technology. You implement wireless so that you can connect a system remotely and conveniently, for the functionality.

This truism is another reason that workers don't focus on security. And this fact is simply not going to be something you can change. What you can do is drill into the decision makers that security is an essential part of quality. If the story of the car manufacturers from the last couple decades has told us anything, it's that quality is just as important as functionality. Functionality gets eyes on your product, but quality gets and keeps buyers.

Start a campaign of information. Give specific metrics on how a lack of security is degrading the quality of your products. Come up with recurring stats to show that the issue won't simply go away. Get leadership's buy-in and things will trickle down in the organization.

An engaged workforce

Getting workers to buy into information security is not a binary function. There probably will not be a magic moment where a large group of workers go from indifferent to passionate about security. Get the support of management. Work first on converting those who seem to want to be converted. Be friendly and listen to the ideas of everyone.

The goal is an organization with workers who are focused on information security across all departments. Sitting in the CISO's office coming up with great ideas for security with a few InfoSec members will never be enough. We need employees from every discipline thinking of security as a crucial part of the quality of their work. 

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Enterprise Security
Management Security Strategies Security Awareness Chief Information Officer Employees Information Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.