“I don't have any new budget for security this year and I'm becoming more and more concerned about getting attacked by hackers. I also know there's a ton of malware that seems to be getting into my organization and I have no idea how to deal with it. My staff is already stretched to the limit and our current firewalls are so old that I'm not sure they're even doing anything to protect us anymore. How can I convince senior management and executives that we need to take action now before something really bad happens?”
Does this sound familiar?
This is a conversation I've had many times with CIOs, IT directors, and countless frontline security professionals throughout the public sector.
Unfortunately for cash-strapped governments, cities, colleges and other public sector institutions, security is often seen as a nice to have by the C-level, not as an imperative. Far too often senior executives will point to the fact that they haven't been hacked yet, so what's the point in spending significant amounts of taxpayer money on a problem that doesn't exist?
The problem is that most of these organizations have already in fact been hacked in some way or another. Many are completely infested with malware, overrun with botnets, and all other sorts of other cyber nastiness too. The executives just don't know it and don’t want to listen to doomsday scenarios and horror stories. And as we’ve said many times, scare tactics don’t work with executives to unlock budget and IT generally doesn’t have the data or the context to explain it to them in a way that will get their attention and make them understand.
So as public sector security professionals, how do we open the conversation with executives to get the budgets we need to effectively do our jobs?
Here are some things that I've seen customers do to change the conversation and turn skeptical executives into security champions:
1. Stop talking about ports and protocols.
Opening the conversation in technical terms defines the conversation as a technical discussion. Reframing the problem in a way they can understand is the key to getting their attention.
One K-12 CIO I worked with recently who completed an Application Visibility and Risk report with Palo Alto Networks successfully used the data from the report to communicate security problems to the other executives in a completely different way. Instead of pointing out all the technical issues he opened the conversation by saying, “More people in China are using computers in our schools than our own students and here's the data to prove it.”
That really got everyone's attention fast and allowed him to then present the full results of the AVR report and really drill down into what was happening on the network and why it was important to address these problems immediately.
2. Reframe security as an enabler of innovation, not a roadblock.
For far too long many executives have seen IT security as the preventer of innovation. If a department manager wants to use Dropbox to share documents with a contractor, or Skype to reduce costs of long-distance charges and provide affordable videoconferencing, or the public relations department wants to use Facebook for legitimate outreach purposes it's always been an “all or nothing” discussion when it comes to security.
In most cases the default answer from IT is “no,” or a grudging acceptance of it. Increasingly, IT is never even brought to the table because it is assumed that the answer will always be “no” or at least a lot of complaining, so many think, "Why bother?"
A hospital CIO I spoke to recently decided on a new tactic that was very successful in changing the security conversation completely. She told the other executives around the table, “If it is important to the organization to use these applications, I will find a way to make it happen.” Rather than just saying “no,” she would answer, “Yes, we can do that, now let's discuss how you want us to implement it,” to all future requests. This subtle change in approach turned the discussion from a “technology problem” into a policy collaboration between IT and the various departments.
Continuing the conversation with, “Yes, we can safely enable Facebook, but who would you like to have access to it and what would you like to allow them to do?” not only frames the discussion in a positive and enabling manner, but also puts the onus on the whole organization to really think through the requirements and ramifications of allowing users to access a new application.
3. Let them watch the big game, but show them the savings, too.
Most organizations see security as an expense, almost like insurance with no real ROI. The reality is there are lots of ways that security can actually save an organization money, and not just from potentially avoiding doom-and-gloom scenarios resulting from breaches.
Changing this conversation from security as “insurance” to one of proactive cost savings is an extremely effective means of communicating with the C-level, but often involves a little bit of creative thinking. A great example of this comes from another Canadian public sector customer during the recent Winter Olympics.
In Canada, access to hockey is pretty much an inalienable right, so when it came time for the gold medal game most organizations either paid for extra Internet pipe or saw their Internet access slow to a crawl and become inoperable. That left IT in the awkward position of either asking for more budget to allow employees to watch the game at work or to block it and have an employee revolt on their hands.
Rather than accept a no-win situation, this particular IT department deployed a simple policy on their Palo Alto Networks firewall that limited their exposure to this spike in video demand and not only let the fans see the game, but also ensured that the organization could continue doing business during that time without added expense. Everyone was happy and not just because team Canada won the gold! (Which of course, we did.)
While many of their peers couldn’t watch the game because their Internet was down, executives at this organization could see that IT was doing something different and innovative to balance the needs of users with the needs of the organization effectively. This demonstration along with the detailed cost savings analysis opened the conversation pro-actively on how further investment in security could generate results like this in other areas of the organization.
Incidentally, they have also shared this approach with many other public sector organizations that were worried about what the World Cup would do to their Internet connections.
Changing the conversation from an IT discussion where security is a cost to the business into a discussion of safely enabling innovation by investing in security is the key to unlocking the budgets you need.
The best way to prepare for this conversation is to know what's going on in your organization today and to have the data to prove it. If you are a current Palo Alto Networks customer my recommendation is to work with your local team or trusted partner to customize reports and dig into the data you're seeing to find real success stories of innovation, opportunity, and investments that will return results to present to the C-level. And again... make sure you back it all up with hard data!
If you're not yet a Palo Alto Networks customer, then completing an evaluation and an Application Visibility and Risk Report is a great first step that can equip you with the information you need to change the conversation quickly and with very little effort and expense on your part.