\u201cI don't have any new budget for security this year and I'm becoming more and more concerned about getting attacked by hackers. I also know there's a ton of malware that seems to be getting into my organization and I have no idea how to deal with it.\u00a0My staff is already stretched to the limit and our current firewalls are so old that I'm not sure they're even doing anything to protect us anymore. How can I convince senior management and executives that we need to take action now before something really bad happens?\u201d<\/p>\n
Does this sound familiar?<\/p>\n
This is a conversation I've had many times with CIOs, IT directors, and countless frontline security professionals throughout the public sector.<\/p>\n
Unfortunately for cash-strapped governments, cities, colleges and other public sector institutions, security is often seen as a nice to have<\/em> by the C-level, not as an imperative. Far too often senior executives will point to the fact that they haven't been hacked yet, so what's the point in spending significant amounts of taxpayer money on a problem that doesn't exist?<\/p>\n The problem is that most of these organizations have already in fact been hacked in some way or another. Many are completely infested with malware, overrun with botnets, and all other sorts of other cyber nastiness too. The executives just don't know it and don\u2019t want to listen to doomsday scenarios and horror stories. And as we\u2019ve said many times<\/a>, scare tactics don\u2019t work with executives to unlock budget and IT generally doesn\u2019t have the data or the context to explain it to them in a way that will get their attention and make them understand.<\/p>\n So as public sector security professionals, how do we open the conversation with executives to get the budgets we need to effectively do our jobs?<\/p>\n Here are some things that I've seen customers do to change the conversation and turn skeptical executives into security champions:<\/p>\n 1. Stop talking about ports and protocols.<\/strong><\/p>\n Opening the conversation in technical terms defines the conversation as a technical discussion. Reframing the problem in a way they can understand is the key to getting their attention.<\/p>\n One K-12 CIO I worked with recently who completed an Application Visibility and Risk<\/a> report with Palo Alto Networks successfully used the data from\u00a0the report to communicate security problems to the other executives in a completely different way. Instead of pointing out all the technical issues he opened the conversation by saying, \u201cMore people in China are using computers in our schools than our own students and here's the data to prove it.\u201d<\/p>\n That really got everyone's attention fast and allowed him to then present the full results of the AVR report and really drill down into what was happening on the network and why it was important to address these problems immediately.<\/p>\n 2. Reframe security as an enabler of innovation, not a roadblock.<\/strong><\/p>\n For far too long many executives have seen IT security as the preventer of innovation<\/a>. If a department manager wants to use Dropbox to share documents with a contractor, or Skype to reduce costs of long-distance charges and provide affordable videoconferencing, or the public relations department wants to use Facebook for legitimate outreach purposes it's always been an \u201call or nothing\u201d discussion when it comes to security.<\/p>\n In most cases the default answer from IT\u00a0is \u201cno,\u201d or a grudging acceptance of it. Increasingly, IT is never even brought to the table because it is assumed that the answer will always be \u201cno\u201d or at least a lot of complaining, so many think, \"Why bother?\"<\/p>\n A hospital CIO I spoke to recently decided on a new tactic that was very successful in changing the\u00a0security conversation completely. She told the other executives around the table, \u201cIf it is important to the organization to use these applications, I will find a way to make it happen.\u201d Rather than just saying \u201cno,\u201d she would answer, \u201cYes, we can do that, now let's discuss how you want us to implement it,\u201d to all future requests. This subtle change in approach turned the discussion from a \u201ctechnology problem\u201d into a policy collaboration between IT and the various departments.<\/p>\n Continuing the conversation with, \u201cYes, we can safely enable Facebook, but who would you like to have access to it and what would you like to allow them to do?\u201d not only frames the discussion in a positive and enabling manner, but also puts the onus on the whole organization to really think through the requirements and ramifications of allowing users to access a new application.<\/p>\n 3. Let them watch the big game, but show them the savings, too.<\/strong><\/p>\n Most organizations see security as an expense, almost like insurance with no real ROI. The reality is there are lots of ways that security can actually save an organization money, and not just from potentially avoiding\u00a0doom-and-gloom scenarios resulting from breaches.<\/p>\n Changing this conversation from security as \u201cinsurance\u201d to one of proactive cost savings is an extremely effective means of communicating with the C-level, but often involves a little bit of creative thinking. A great example of this comes from another Canadian public sector customer during the recent Winter Olympics.<\/p>\n In Canada, access to hockey is pretty much an\u00a0inalienable right, so when it came time for the gold medal game most organizations either paid for extra Internet pipe or saw their Internet access slow to a crawl and become inoperable. That left IT in the awkward position of either asking for more budget to allow employees to watch the game at work or to block it and have an employee revolt on their hands.<\/p>\n Rather than accept a no-win situation, this particular IT department deployed a simple policy on their Palo Alto Networks firewall that limited their exposure to this spike in video demand and not only let the fans see the game, but also ensured that the organization could continue doing business during that time without added expense. Everyone was happy and not just because team Canada won the gold! (Which of course, we did.)<\/p>\n While many of their peers couldn\u2019t watch the game because their Internet was down, executives at this organization could see that IT was doing something different and innovative to balance the needs of users with the needs of the organization effectively. This demonstration along with the detailed cost savings analysis opened the conversation pro-actively on how further\u00a0investment in security could\u00a0generate results like this in other areas of the organization.<\/p>\n Incidentally, they have also shared this approach with many other public sector organizations that were worried about what the World Cup would do to their Internet connections<\/a>.<\/p>\n In conclusion\u2026<\/strong><\/p>\n Changing the conversation from an IT discussion where security is a cost to the business into a discussion\u00a0of safely enabling innovation by investing in security is the key to unlocking the budgets you need.<\/p>\n The best way to prepare for this conversation is to know what's going on in your organization today and to have\u00a0the data to prove it. If you are a current Palo Alto Networks customer my recommendation is to work with your local team or trusted partner to customize reports and dig into the data you're seeing to find real success stories of innovation, opportunity, and investments that will return results to present to the C-level. And again... make sure you back it all up with hard data!<\/p>\n