In an executive-level pitch for more firewalls, you might use the metaphor of needing brakes on a car, not for stopping but to go faster safely, Clark suggests. "Or if executives want to bring iPads in, you don't want to be the guy saying, 'No iPads'; it's 'Yes, iPads, but here's an extra piece of software on the network to secure it."
The fact is, most business executives only become concerned about security violations when it's clear how the exposure will affect the top or bottom lines, and it's your job to make that connection for them. When Cloutier's team recently conducted a review of business-process risk, for instance, it discovered its data-monitoring controls were no longer optimal for one unit because of a change in the way the unit was transferring data. To make the case for the technology upgrade that would fix the issue, the team made the link between the security weakness and the unit's ability to get certifications that would allow it to win more contracts.
"We put it in terms the unit would understand," Cloutier says. "They weren't so concerned about the actual security violations, but how it would impact their ability to generate new revenue because certain certifications would not be available to them otherwise." As a result, "they became our number-one business supporter in deploying new technology to remediate it," he says.
4. Make It Personal
If you want to get someone's attention, lay an issue right in their front yard. Once people are made to feel accountable, they will take interest in--and hopefully become advocates for--your proposal. For instance, Cloutier makes a habit of identifying which business leaders "own" which risks and then publicizes these assignments.
"That's powerful--people don't want to be seen as responsible for risk, so they become supporters in helping to mitigate it," Cloutier says. "It's not about fear and uncertainty, it's about feeling accountable for a problem in their area and deciding they're going to help resolve it." The technique encourages a partnership approach, which drives the needed resources.
Clark similarly believes in the power of publicizing ownership. He uses a device that he created earlier in his career, which he calls the "Good, Bad and Ugly" chart. The diagram depicts where each division stands in its progress on current security initiatives. At one company, Clark shared this chart with the CEO and requested that the CEO voice his support for the initiative in his quarterly address. Not only did the CEO promote the project, but he also called out the president of one division that had fallen far behind in achieving project milestones, saying that failing to catch up would result in termination. "Suddenly, everyone was coming to me, asking what they needed to do to catch up," Clark says.
Sign up for CIO Asia eNewsletters.