Your role as CISO (or whatever the title is, the infosec officer of your company) in every security project is to ensure a constant, smooth transition to a more secure state, maintaining the usability and effectiveness of all business processes.
It is not that of an enforcer or a policeman – but rather that of a mentor and correction guide when such is needed.
Forget about mail and spreadsheets when it comes to convincing people and executives about what is better for the organization.
Forget about FUD (fear, uncertainty and doubt) methods – they usually create more resistance than you need and are really negative in the long term.
A positive note with a clear visibility of the benefits and decreased risks along with a solid evidence of the necessity of any measure you propose will always win against a “the sky is falling” approach.
Communicating with senior executives
Every idea you have which has the potential to impact the whole organization (in any way – positive or negative on success or failure) will have to be discussed with your boss and other senior executives in the organization.
Make sure you do your homework before speaking with them.
Have with you examples of successful implementations of the same or similar ideas in the companies of your competitors (not necessarily in the same country).
Prepare the list of people who will need to be involved, the amount of time your project is going to take from their working hours and the list of other resources needed – keep in mind the license cost is not always the highest cost a project can incur on your company.
Have a list of alternatives, with the respective cost and consequences of each choice. Make sure what you say and explain is done in their language – that of investment and return on investment. Remember, your company exists to create profits, not to implement all the new security technologies in town.
Make sure to discuss your ideas with your direct manager and your team before presenting them to senior execs.
Have a good vision of the threats (current and incoming) to your business and the benefits to mitigate those threats and risks with the suggestion / idea / product you have in mind.
Once you are ready with all of the above, comes the difficult part: create a one or maximum two page summary of everything, explained in a clear way. These 2 pages of text are sometimes your only chance of making a positive security change in your organization, so use them wisely and show them to your direct manager before speaking with higher levels.
Once in the meeting, speak clearly, calmly and let them ask their questions – if your homework is done properly, you will be prepared for all of them and will walk out of the meeting with the feeling you have left your management calm and confident in your ability to protect their business. You are not there to cause panic – you are there to guard and protect.
Communicating with IT
Now… that is a whole different animal to deal with. People in IT often have the mindset of “this cannot be done” – think of it as their defense from accepting more work in their already way too busy schedules.
Always try to walk in their shoes before suggesting new things and always try discussing it with several people in the IT team (including their management) over a cup of coffee or during a lunch break. It is much better to hear their side of the story before presenting yours – besides, it is a psychological thing – you need to work with them, not pour work on them and expect them to just deal with it.
You will be surprised how much helpful advice you will get from your IT team and how much easier it will become working with them the moment you start collaborating with them in the above way.
Instead of “you have to do this task” you could approach them with “can you help me with ideas how to properly implement this task?” See? Much better!
Creating a step-by-step plan
You don’t have to create it alone – you can even engage one of the IT team members to help you, with the approval of their manager – in that case you get even more bonus points and an even greater chance of success.
Every security change in the IT environment needs to be properly tested on small scale. The results of this test will help in the implementation of a larger test. Rinse and repeat until the whole company is transitioned to the new product, technology, configuration change or whatever else you’re implementing.
Hint: it is a good idea to start any configuration change tests in the IT team – that way you can easily tweak settings and discuss them directly with the implementers who will also be the people affected – much more effective.
Communicating with everybody else
There are two ways you can be seen in your organization. The first is the one who always enforces unbearable burden upon people, and the second is the one who does their best in order to help people do their job safely and effectively.
Which one do you choose?
Now think about this every time you write an awareness e-mail or choose an awareness poster. Positive is better than negative – remember it. There have been multiple psychological studies proving the effectiveness of a positive message over a negative one.