I spent some time on the road this week, and it was great to see some old friends, meet some new ones, come up to speed on some topics, and more than anything take some time to listen. With my head full of dancing fairies relative to what’s really going on out there, I was interested when I came across Jack Freund’s post on the RiskAnalysis blog called “Executives are not Stupid.” Jack leads off the discussion by mentioned that “You don’t fall into a job to run a company or a line of business.”

You rise to your level of incompetence.Actually in my experience, continually validated by my primary research, many executives are in over their heads. The Peter Principle is not only alive and well, it gets in the way of the security professional’s charter on a daily basis. Come on, don’t make like you’ve never asked yourself what kind of pictures said executive has on the CEO to keep falling upward. You know you have, and you are probably right. Success in corporate life isn’t just restricted to the talented, that’s for sure.

The lore has been known for years that to be good at security you have to think like a hacker. All that really means is that you have to understand the attacker’s motivations, get familiar with the tools they use, and use that knowledge to discover the path of least resistance (which tends to be the most significant attack vector). When we recommend that you systematically hack yourself, this is really to familiarize yourself with what the attacker sees.

The same goes for dealing with senior management. A lot of folks just get grumpy when a decision doesn’t go their way. They grumble about how senior management “doesn’t get it,” but in reality it’s a failure on our part to anticipate the (often obvious) reaction of the senior team. Most executives are, frankly, predictable. They act in their own best interests, always. And that means if you want to get anything done, you have to convince the executive that going down the path your suggest is in their best interest.

I know, this clearly involves political machinations and that is likely deplorable to many of you. It’s not my favorite thing to do, which is why I work with Rich and Adrian. But if you want the big title (or even a little title), part of that is playing the game. So you need to plan for success. That means before you pitch a senior exec on your pet project, you need to actively plan a strategy for lining up support. It’s not that hard, but it doesn’t happen by itself. You have to sit down and understand the playing field.

Start by asking yourself two questions, but you need to answer as the executive(s) rather than as yourself. And no, the questions do not include which new BMW you want or which Four Seasons you will visit on holiday.

  • How will this make my life better? You need to have a crisp understanding of why it’s in this executive’s best interest to support your project, and that usually gets down to two things: more money or making him/her look good. If you can position your project for either of these, you have a chance.
  • What is the risk? There is no risk without reward, so you need to really consider the downside for the executive. Where can this go wrong? How would this alienate him/her with peers or higher ups? Basically you have to build a threat model from the executive’s perspective. And you then you need to be able to overcome those objections, or he/she will kill your project. Guaranteed.

Building the threat model and overcoming the objections isn’t easy, which is why so many security folks don’t get what they want. Always remember, it’s not about protection or security. It’s about understanding the goals and success criteria for your organization and every executive that can say no. I know your senior executives aren’t necessarily adversaries, but since they can get in your way and derail your plans you need to map out a strategy to bring them to your side – or at least neutralize them.

And keep in mind that you will not win every battle. Sometimes they’ll still say no, regardless of your strategy or efforts. Keep each setback in context of the entire war, and move on to the next battle. Or decide it was more fun to configure firewalls. That’s always an option.

Photo credit: The Peter Principle: Why Things Go Wrong available on Amazon