The document discusses selling information security concepts to upper management. It provides 3 steps: 1) understand yourself and your audience, 2) raise situational awareness through penetration testing and metrics, 3) stay informed by learning from current events and others' mistakes. The goal is to convince management to invest in proactive security rather than just reacting to issues.