How to Sell Security

A bold statement: How to Sell Security.  But it is what we have to accomplish in order for those we support to buy-in to security practices.  This could apply to any type of consulting practice but for us it is crucial.  As security practitioners, we are in the know of why Information Assurance is so important to a business or information technology infrastructure.  It is up to us to convince leadership and staff that this is important stuff, that it matters.

I was talking to a former customer, and a friend of mine, this morning.  I asked him how things were going after sharing some of my own challenges at work.  He told me that the biggest pain in the neck they were having was support calls they have to take.  Their manager had recently come down on them for not getting system builds done on time.  The reason for the lag was the engineers were instructed to take some of the support calls coming in, but due to setbacks and staffing shortages, the engineers are taking all of the calls coming in.  The first thought in my mind was C I A.  Confidentiality,  Integrity, Availability, the three principles of security.  The service of building new systems to support the infrastructure was unavailable to the consumer, therefore a risk was identified to the program.  I relayed to my friend that I believed there day would go by much easier if they hired interns (which in his sector are easily attainable) to man the phones during business hours.  I went further by advising him to put together a tech support handbook with easy, simple troubleshooting techniques to hand over to the interns.  The interns should then in turn start recording the calls in the form of tickets.  It could be a Excel spreadsheet or Remedy ticketing system, that doesn't matter.  This would serve two functions:

1. The tickets could be used as metrics to identify whether certain kinds of problems were becoming more prevalent and to assign engineering time to resolve the issue permanently.  This would also track overall effectiveness of the help desk support system in place to identify if more staffing is required.
2. Open tickets; presumably calls that the intern could not fix themselves on the phone should be handled by the engineers.  This way, instead of 15 minute interval interruptions in the day turn out to be maybe twice a day handling the most challenging cases the consumers are having.

And as simple as that, I sold an engineer on security.  I sold him on a mechanism to improve availability and close a vulnerability whereas production was being halted due to trouble support calls.  

I asked the engineer questions to figure out what his real needs are.  I introduced a new idea and put it in terms of his business area.  I made sure I applied (at least in my head) basic security practices such as assessing and identify risk, weighing mitigation techniques, and finally providing a solution that was effective but cheap to implement.

Remember that anything can be applied to Security, it's not all just firewalls and hackers.  Security is an essential need in life in whatever we do, we need security.  When you have identified a problem and want to convince someone, remember your training, and use what you have learned as Yoda has once said.  I wish you luck and let me know if you have any interesting stories to share how you sold security.