Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly
E-Mail vvv

Solving the Leadership Buy-In Impasse With Data

Justify your requirements with real numbers to get support for security investments.

Are you having trouble receiving buy-in from senior leadership for your security programs? Are you having difficulty obtaining funding for your programs outside of the usual three G's — guards, guns, and gates? Let me share how I have been successful in gaining buy-in for investing in security from senior leadership.

The goal is to focus on changing senior leadership's mindset and culture. How do I do it? The answer is data. Security is in the customer service business. Our customers drive the services that we provide to our organization. Data tells our story. Most senior leaders do not understand the depths of security and our daily duties. Security typically operates in a vacuum, which makes it difficult to tell our story. And if we are unable to tell our story, we will never receive buy-in from leadership. Still not sold? Allow me to elaborate.

Related Content:

How to Boost Executive Buy-In for Security Investments

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

For each security program you have, start tracking each service you provide. A perfect example of this would be how law enforcement tracks its calls for service. For instance, when a dispatcher sends a police officer to a call, that call is recorded in a tracker that is used to generate working hours at the end of the calendar year.

You can apply the same concept to each of your IT security programs. For example, in February, the Security Department's Identity Credentialing and Access Management (ICAM) program compiled the following numbers for ID cards:

  • New Issuance: 83 
  • Pin Resets: 43
  • Physical Access Control Mapping: 84
  • Certificate Updates: 37
  • Lost/Stolen/Missing Card Replacements: 12
  • ID Card Destructions: 7
  • Employee Separations: 8
  • Employee Onboarding: 12

Now, imagine tracking the services for all your security programs, administrative taskers, staff hours, and so on. Sure, there will be growing pains when you're formulating a tracking sheet and asking your staff to take on the added workload. I can assure you, though, that the extra effort is worth it and will return on your investment of time.

Another benefit to the process of recording these numbers monthly is that your senior security officer can also use this data to provide weekly, monthly, and year-end reports to senior staff. Having the ability to provide data, at any given time, for essential security services is vital to the organization and its mission.

The most significant element is that you now have the data to justify your security program's needs. The data will also help security officials determine whether security programs provide value to an organization or cost them unnecessary funds that could save the organization money. Reallocating that funding could benefit other areas of the organization, including procuring security equipment, systems, or even training. That data could also be used to justify staffing needs.

Most importantly, the goal is to let the data tell your security program's story and defeat the old mindset that security is only about the three G's.

Richard Amburgey is a Chief Security Officer (CSO), leading, advising, and coordinating security operations, protecting the Bureau of Labor Statistics (BLS). After nearly 20 years in security and law enforcement for government agencies, Richard understands the importance of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.