When simple reason doesn't do the trick, IT managers find they must use fear to sell their security spending proposals...
to upper management.
Seattle-based security firm WatchGuard Technologies Inc. asked 150 network administrators from small- and mid-sized enterprises about the methods they use to get their security concerns addressed. Almost half the respondents -- subscribers to WatchGuard's LiveSecurity Service -- said their bosses fail to see the need for more security spending unless the worst-case scenarios are rolled out.
"This survey shows that [small- and medium-sized enterprises] can vary greatly in their approach to security," said Mark Stevens, WatchGuard's chief strategy officer. "Despite high-profile attacks and regulatory pressure, a strong security-conscious culture is still not second nature to all organizations. While many organizations treat security as a priority from the top down and are very proactive in their approach, others require more persuasion to implement and update secure practices."
Respondents were asked two questions. The first: "When you present security concerns to senior management, how often do they change standard practices in order to be more secure?" The second was an open-ended question that asked, "When you successfully persuaded them to increase security, what approach did you use?"
To the first question, 12% of respondents said management never changes standard practices in response to their security concerns; 17% said changes are rare; 20% said changes are adopted half the time; 31% said changes come most of the time; and 20% said their concerns are addressed all the time.
To the second question:
- 49% said they must use fear, uncertainty and doubt for their proposals to be adopted;
- 30% are able to make their case with rational facts;
- 5% delegate responsibility up the chain;
- 4% rely on pincer plays by auditors and IT frontline; and
- 12% ask for forgiveness rather than permission.
Stevens said IT managers shouldn't have to resort to fear, and that the solution is to spend more time educating executives on information security and to think of security as a business process.
"To protect against the threat of attack, executive sponsorship is critical," Stevens said. "Organizations need to adopt an approach that incorporates not only technology solutions, but ongoing user education as well as development and enforcement of security policies."