Stop Using the Boogeyman to Sell Security
The boogeyman may be a childish cliche, but security professionals use him all the time in their attempts to convince corporate management to buy into whatever project they're advocating.The boogeyman may be a childish cliche, but security professionals use him all the time in their attempts to convince corporate management to buy into whatever project theyre advocating. The security industry has for years been in the business of selling fear. Its dire warnings of catastrophic events have become so commonplace, management has tuned them out. This past summer, I gave a lecture on the CIOs best security practices. I was haunted by the frustrated questions from audience members, who told me they agreed with my recommendations but wanted to know, "How do we get our management to listen?" In some industries, such as financial services, this refusal on the part of management to take security seriously has resulted in federal regulations requiring businesses to implement security controls.
The problem is that we are looking at this problem from the wrong perspective. Security has traditionally been looked at as an infrastructure cost. There is no return on the investment; it is simply a bottom-line cost that must be borne, much like heating and power. Of course, chief financial officers are constantly trying to find ways to trim operating costs, and they dont always differentiate between doing that by cutting security expenditures or by turning off the air conditioning over the weekend.