Selling Information Security to the Board: A Primer
By Alan Calder
()
About this ebook
Information technology plays a fundamental role in the operations of any modern business. While the confidentiality and integrity of your organisation's information have to be protected, a business still needs to have this information readily available in order to be able to function from day to day. If you are an information security practitioner, you need to be able to sell complex and often technical solutions to boards and management teams.
Persuading the board to invest in information security measures requires sales skills. As an information security professional, you are a scientific and technical specialist; and yet you need to get your message across to people whose primary interests lie elsewhere, in turnover and overall performance. In other words, you need to develop sales and marketing skills.
This pocket guide will help you with the essential sales skills that persuade company directors to commit money and resources to your information security initiatives.
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
ISO 22301:2019 and business continuity management - Understand how to plan, implement and enhance a business continuity management system (BCMS) Rating: 5 out of 5 stars5/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5PCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsIT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5The EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsThe Green Agenda: A Business Guide Rating: 0 out of 5 stars0 ratingsA concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsIT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsThe Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratings
Related to Selling Information Security to the Board
Related ebooks
Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors Rating: 0 out of 5 stars0 ratingsThe Human Fix to Human Risk: 5 Steps to Fostering a Culture of Cyber Security Awareness Rating: 0 out of 5 stars0 ratingsInformation Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsInformation Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsThe Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5Infosec Management Fundamentals Rating: 5 out of 5 stars5/5Getting an Information Security Job For Dummies Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsInformation Security A Practical Guide: Bridging the gap between IT and management Rating: 5 out of 5 stars5/5Cyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions Rating: 0 out of 5 stars0 ratingsCertified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsThe Insider Threat: Combatting the Enemy Within Rating: 0 out of 5 stars0 ratingsAn Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5The Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5CISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5Cyber Security Awareness for CEOs and Management Rating: 2 out of 5 stars2/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Success: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Security Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsSecurity and Risk Management: CISSP, #1 Rating: 5 out of 5 stars5/5Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Cyber Resilience: Defence-in-depth principles Rating: 0 out of 5 stars0 ratings8 Steps to Better Security: A Simple Cyber Resilience Guide for Business Rating: 0 out of 5 stars0 ratings
Computers For You
The Mega Box: The Ultimate Guide to the Best Free Resources on the Internet Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsStorytelling with Data: Let's Practice! Rating: 4 out of 5 stars4/5Quantum Computing For Dummies Rating: 0 out of 5 stars0 ratingsThe ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsTor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5Artificial Intelligence: The Complete Beginner’s Guide to the Future of A.I. Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Learning the Chess Openings Rating: 5 out of 5 stars5/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5AP® Computer Science Principles Crash Course Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Elon Musk Rating: 4 out of 5 stars4/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsThe Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5
Reviews for Selling Information Security to the Board
0 ratings0 reviews
Book preview
Selling Information Security to the Board - Alan Calder
Resources
INTRODUCTION
C-suite IT and information security executives have usually attained their responsible positions by being good at the technical aspects of their functions. Their background, schooling and higher education are mostly in science or technology disciplines. They understand information technology, they’re usually up to date with the latest threat developments, trends and risks, and they know their way around the network infrastructure. They may have a good understanding of IT-related best practice frameworks, such as ITIL®, COBIT®, PRINCE2® and ISO27001. They understand information risk.
Boards, however, across most business sectors, are mainly made up of people drawn from a wider educational background, and whose business experience is primarily in commercial operations or sales. The chief executive is almost always someone whose career includes at least a significant stint in general operations, sales or marketing. His or her primary interest is the overall performance of the business: top-line growth, customer acquisition and maintenance, new product/service development, and bottom-line progression. The second most influential person in the top team is usually the chief financial officer, or finance director, someone whose primary interest is the financial representation of the business performance.
Other senior directors are usually directly interested in their line of business or area of functional responsibility whether, for example, sales and marketing, or senior divisional roles. Non-executive board members tend also to be there for reasons other than their interest in, or awareness of, emerging technologies: it might be finance or compliance, but it is usually related more to what they can offer around customer acquisition, sales and marketing, or stakeholder management. Other than in technology businesses, few if any members of the senior management team, have a direct role or interest in IT or in IT’s role in business operations.
Information technology is fundamental to business performance today. Information and information technology has to be appropriately protected: confidentiality and integrity must be preserved, while ensuring that information and technology resources are available to those who need them to perform their roles. IT and information security requires investment – of money, time and resources – by the business. Decisions about where and how to invest business resources are made by top management, people with little awareness of, and less interest in, something about which you, the technology or security leader, may be extremely knowledgeable, and the benefits of which are, to you, as plain as the nose on your face.
The problem, in a nutshell, is that for the good of the organisation, you have to find some way of getting uninterested managers and directors to understand enough about a potential technology risk to commit money and resources to applying effective controls. This is a problem faced by sales and marketing people every day: it’s how your organisation’s products and services get (eventually) into the hands of customers.
You’re not a sales and marketing professional. You may even think that sales and marketing professionals swim in the shallow end of the relationship pool. A significant part of the senior management team is made up of people with sales and marketing backgrounds and you need to find a way of getting your message to