There is a lot of perennial talk of social engineering and direct project/resource management. Attempts to solve complicated political situations with manipulation or a slick widget tend not to work very well over time. They are not addressing the underlying issue.

The wedge of compliance or a mandate from a framework may get some base requirements moving. However, in order to get people; chief executives and influential management, towing the line for a healthy risk and security governance program, it will take something more. It takes a bidirectional respect for the people involved and bringing the conversation to them in terms that they, your audience, understands.

In short, technology risk in general is not well understood by many practitioners. Outside of direct practitioners it is barely understood at all. Technology risks to business can be so complicated to understand that it needs to be interpreted and put into well understood terms that everyone understands, such as dollars.

Fostering a climate of respect and reward of long term goals instead of a short-term win is key to the success of any real life security governance program.

I have some thoughts on how to begin.

Respect your audience:

• Present in terms they understand.
• To foster long term success, win by soft persuasion to the right path and finding of common goals. Not with a compliance beatdown or audit hammer.

Respect peoples time:

• Have an agenda for your meetings and stick to it. Get through your agenda, keep it focused, and conclude your meetings quickly. Make effective use of everyones time.
• Focus your presentations. Have the subject matter you are presenting be relevant and interesting to your audience. “If your numbers are boring, then you’ve got the wrong numbers” said the esteemed Edward Tufte. Keep in mind his criticism of PowerPoint.
• Realize that you must effectively communicate organization needs and concerns in a language and context so that it is understood. This will enable the organization, and individuals, to form a measured and concise response.

Respect your resources:

• Project management often overtasks. Assume and extol good will and respect and express it to those with whom you work. When performed correctly, you should find a net productivity gain. This is especially true with your indirect reports. Trust but verify, comrade!
• Slow down your initial reaction to assign blame when priorities collide. Make a measured response that will be constructive to your resource, manager, executive, or business partner. Enter the conversation with at least the appearance of malleability and an open mind. The respect of at least entertaining the feedback, advice, and input of others into the decision making process earns good will and political capital.

Respect the constraints of your organization:

• I can’t tell you the number of encounters I have had with peers who understand the role of a security engineer but do not understand risk management. An information security professional is very rarely tasked with eliminating all risks inherent in a system. Most often it is reducing risk and exposure to amounts that are acceptable to the organization for a cost they can tolerate. The biggest challenge that an information security professional has is communicating in relevant terms the unmitigated risks and exposures to the organization they are working within. Don’t take it personally when the perfect ideal is not made a reality. Optimize, compartmentalize, and reduce exposure. Getting this fit right is done by putting risk in terms everyone can understand, maturing an organization, and identifying exposures at an early stage of development.
• Because of the vast differences in organizations, there is almost never a silver bullet solution to risk. Everything must be right-sized both at the design table and where the rubber meets the road. Often timetables for change will be longer than desired. The important part is that change is happening. The schedule can change as the landscape, challenges, and risks change.

Too often I hear other fellows in the trade using harsh words to begrudge people who do not understand risk management instead of lamenting their inability to express it in terms that they will understand. Too often problems arise in not communicating effectively and in not earning or giving respect. This failure in communication was what I read into this CSO Online article about a $10M raise in budget after a showboaty penetration report.

Ira says “grab by the balls.” I say “communicate effectively and with respect.”