How to Talk to Management About Security: Part 1 of 3 – Guest Blog

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Talking to Management»

I asked my good friend Chris Hayner, who worked with me at Temple University, to write a guest ‘blog.   Chris is now the Assistant Director, Systems, and wanted to talk about talking to Management about IT, since many of us don’t do it well.  So.. enjoy!


How to talk to management about security


Do you have a new strategy to secure your enterprise? A great new idea that is going to make your organization run safer, stronger, better?  Your idea will never become anything more than an idea if you are not able to make it applicable and relevant to the goals and objectives of the operational management team.

The majority of IT personnel are unable to approach management with security solutions in the proper way, and are perceived as “security geeks”, the guys in the back computer room.  This writing is a brief outline of how to present a technical concept to a business audience.  It will discuss how to present from a business perspective, how to talk in business (not technical) terms, and ultimately, how to gain support, budget and approval for necessary and beneficial projects.

First, IT and Business Operations must come together to understand the business goals and how those are achieved using technology. The businesses leaders hired you as specialized experts to contribute to technical portions of the business operations. You must do so in a way that supports not only the corporate objectives, but also improves the (internal and external) customer experience.

Typically senior business leaders:


  • Deal primarily in the long term.
  • Are somewhat insulated from day to day operations, especially in IT, and rely on various department heads to handle all but the most the critical escalations.
  • Are aware of the Network and its ability to dramatically impact business either positively or negatively
  • Believe that while it is necessary and important, feel that security is a complex and unfamiliar topic. This is largely due to the technical acumen of the personnel who attempt to present the information, and do so in acronyms and “server speak.”
  • Rely on the IT leaders to present the IT performance in terms of traditional ratios, dollars and cents. IT, including security, must become better at hard dollar ROI impact to secure bonus participation based on the positive impacts made to the business.

Security is an ongoing project, one that a manager is apt to consider it something that was ‘done’ already. Now here you are, proposing a major infrastructure change that will cost the enterprise in cash, man-hours and retraining time. From that manager’s standpoint, you are asking to expend vast resources to maintain the status quo. After all, you didn’t get hacked last week, right?

Hopefully the difficulty of the task is clear. In the next sections, we will talk about how to carry yourself when talking to management in general, and in particular how to go about selling your Great Security Idea™.


See more of Chris’ article next Thursday, same place.