This document discusses the importance of getting buy-in from stakeholders for information security initiatives. It notes that security teams need to focus on business priorities and corporate strategy, understand the context of problems, and address risks and opportunities to remain relevant. The document recommends that security teams build relationships, share objectives, provide assurance on key metrics, and report on issues in a way that is simple and focused on what matters most to the business.

1. Getting down to business with
security
Kris Budnik
SLVA Information Security
@SLVA_Security

2. Buy-in
…signifiesthecommitmentof interested or
affected partiesto adecision (often called
stakeholders) to 'buy into' thedecision, that is, to
agreeto giveit support, often by having been
involved in itsformulation.

3. Why do you need it?
• To get theresourcesyou need
• To ensureyour initiatives“stick”
• To ensureenterprise-widecooperation
• To get thingsdonequickly
• To remain relevant

4. It’s a crowded space…
Many arecompeting for attention…
• Innovation
• Marketing & Digital
• Lineof business
• Projects
• HR & Change
• Audit & Risk

5. Why don’t they pay attention?
Trigger
Peak of expectations
Trough of disillusionment
Ravine of demise
Valley of oblivion
Plateau of productivity

6. The things we do…
• Focuson thesubject abovecontext
• Respond to security trendsinstead of fundamentals
• Loseperspective
• Becomean obstacle
• Fulfil thewrong role
• Taketoo many shortcuts

7. We have too many resources at
our disposal…
• COBIT
• ITIL
• ISO 2700x
• SANSTop 20
• OWASP
• CIS/NIST

8. The trouble is…
• Too broad, resourceintensive
• Idealistic
• Driveacompliancemindset
• Makeuslazy
• Put together by acommitteewho arepassionate
about their subject
“You cannot answer aquestion about aproblem
outsideof itscontext”

9. An alternate approach
“…get to ashared understanding of aproblem before
attempting to solveit”
• Corporatestrategy (thefuture)
• Businesspriorities(thepresent)
• Addressrisks& opportunities
• Measure& reassure

10. Corporate strategy
• Gain insight on thefutureof thebusiness
• Identify thosewho know
• Keep an ear to theground
• Review annual reports
• Test your assumptions
• Structureyour security programmeto support
realisation of objectives

11. Get “on board”
“ The bo ard and each individual
directo r sho uld have a wo rking
understanding o f the effect o f the
applicable laws, rules, co des and
standards o n the co mpany and its
business”
Usetraining and awarenessasan excuse
to get air time…

12. Business priorities
• Build relationships
• Shareobjectives
• Seek advice
• Understand constraints

13. Tap into & avoid our biases
• Confirmation bias
• Neglecting probability
• Observational selection
• Status-quo bias
• Bandwagon effect
• Projection bias
• Current moment bias

14. Focus on risks & opportunities
• Adopt asolution oriented approach
• Practicesaying “Yes!”

15. Keep it simple
• Do alittlewell, rather than alot badly
• Accesscontrol
• Leak management
• Patch & vulnerability state
• Malwarecontrol

16. Measure and provide assurance
• Report against drivers
- Risk
- Compliance
- Strategic context
Operational status
• Avoid statistics
• Show trends& improvements

17. Report what matters
• Coverage
• Effectiveness
• Adherence
• Competence
• Exposure
• Resilience

18. Thank you
Questions?