4. Make It Personal
If you want to get someone's attention, lay an issue right in their front yard. Once people are made to feel accountable, they will take interest in--and hopefully become advocates for--your proposal. For instance, Cloutier makes a habit of identifying which business leaders "own" which risks and then publicizes these assignments.
"That's powerful--people don't want to be seen as responsible for risk, so they become supporters in helping to mitigate it," Cloutier says. "It's not about fear and uncertainty, it's about feeling accountable for a problem in their area and deciding they're going to help resolve it." The technique encourages a partnership approach, which drives the needed resources.
Clark similarly believes in the power of publicizing ownership. He uses a device that he created earlier in his career, which he calls the "Good, Bad and Ugly" chart. The diagram depicts where each division stands in its progress on current security initiatives. At one company, Clark shared this chart with the CEO and requested that the CEO voice his support for the initiative in his quarterly address. Not only did the CEO promote the project, but he also called out the president of one division that had fallen far behind in achieving project milestones, saying that failing to catch up would result in termination. "Suddenly, everyone was coming to me, asking what they needed to do to catch up," Clark says.
In large companies, it can take some educating to get certain divisions to feel ownership. For instance, at a global manufacturer that Clark worked for, the oil refinery division had lots of interest in security, but a manufacturing division was more tuned in to keeping its factories operational.
"We had to show them that regardless of what they're protecting, they're part of the overall corporate risk," Clark says. "You're only as good as your weakest link. That is a conversation I've had multiple times because different areas didn't want to spend the funds."
5. Preview Your Plans
You usually only get one shot when you request funding, so Gunthner suggests practicing your pitch before showtime. "When I set out to sell a new initiative, I'm looking at three things: Does it make financial sense, what is the business value, and does it support the business strategy," he says. "So after doing all my homework, before officially presenting it, I present it informally to various key stakeholders so I'm not taking something out of the box they've never seen or heard of before."
By the time you make the formal presentation, you have a number of people in your corner who understand the value of what you're trying to do, he says. And if there's a lot of pushback, you need to evaluate whether it's time to move forward or go back to the drawing board. "You typically only have one chance of getting a yes, and if you get a no, you can't go back for several years," Gunthner says.
The stakeholders you gather don't need to be part of the ultimate group making the decision, he says. They just need to be people in divisions who may be affected, for example, facilities, a particular business unit, finance, legal or HR. "I try to rally as many of those people in my corner as I can so that when the day comes--whether they're in the room or not as part of the official decision making--I can say I consulted with XYZ and they're in support of it," he says.
Even if it takes weeks or months, Gunthner says he doesn't move forward with his funding requests until he gains consensus. "All it takes is one stakeholder to say, 'I don't agree,' and the thing is dead in the water," he says. "Let them shoot holes in it--you would rather know beforehand versus when you get turned down altogether."
6. Play Politics
It's also a good move to surround yourself with people who hold power in the organization, such as top money-making business areas, Clark says. "If you get them bought in, everyone else will say, 'If it's good enough for them, it's good enough for us,'" he says. Does that sound cynical to security do-gooders? "That's how the business world works," says Clark.
Additionally, when communicating to the company about the security organization's activities, it's not a bad idea to piggyback newsletters or articles onto communiques that a high-level executive is already sending out. At a previous employer, Clark contributed a monthly column to a weekly newsletter that the number three executive in the company sent out. At another company, he paired up with the CIO's ongoing communications.
"I ask the highest-level person I have a relationship with to send it out," he says. These missives are also a good way to build a campaign for an initiative for which you're trying to gain support.
7. Read Their Minds
It doesn't take a psychic to forecast the concerns and questions certain stakeholders will have--all it takes is a quick study in human behavior. "Certain individuals have hot-button issues they particularly want to dig into," Gunthner says. For instance, HR may have a particular sensitivity to certain employee relations issues, while facilities may be concerned about misplaced assets. "To know what those are and address them in advance gives you a much better opportunity to get your proposal through," he says.
8. Watch Your Timing
Timing is not always something you can control, but it's important to keep in mind that it's "key, key, key," Gunthner says. Even great projects that clearly support business strategy and promise a great return can get turned down if the decision maker is, for whatever reason, having a bad day. "You have one opportunity to get a 'yes,' so timing is crucial," he says. "If you have the ability to pick the right time to present your project, do so. This will increase your chances of getting a 'yes.'"
9. Show, Don't Tell
When presenting to the C-suite, visuals can express your ideas more clearly and quickly than words. When Clark wanted to convey risk exposure to executives at a former employer, he created a mash-up of the company's Web security tools and a spinning globe. He showed a rain cloud advancing over certain cities to show where the risk was highest. "The CEO asked if I could guarantee we wouldn't get hacked, and I said, 'Can you make it stop raining?' No, but you can prepare for the storm to reduce your risk," Clark says.
At eBay, Cullinane has developed a dynamic "risk curve" visual that illustrates the relationship between spending and risk levels. "It tends to get pushed up to the right as new exposures are found and moves down when we take actions to reduce exposure," he says.
Clark also believes in the power of storytelling as a vibrant way to enliven security exposures and successes. He has gone so far as to hire a security marketing analyst, who spends one-third of his time storytelling, whether it's to secure funding or report on ROI. This person is a creative communicator and natural salesperson who, for instance, tells executives what they got for their money, beyond standard ROI, and puts relevant context around news stories of security mishaps and explains what could reduce that kind of risk.
Beyond visuals and storytelling, Cloutier has occasionally turned to the power of the hack to illustrate a technology-related risk. "Especially on the cyber side, we show them how easy it would be to get hacked," Cloutier says. "It's hard to argue."
Similarly, Clark has set up hacking challenges that determine whether he gets funding. At one company with a large number of external-facing websites, the developers firmly believed they had battened down all the hatches and were balking at putting up the money for a particular security initiative. Clark issued a challenge: If he could hack into five of the websites, they would allocate the funds. They agreed, and he was successful. "It was a gamble, but I was pretty confident," he says. Doing something attention-grabbing is sometimes key, he says.
"To be a change agent, you have to be creative and convey things in interesting ways they haven't heard of before," Clark says. "Often, people have their objections already lined up, so you have to think two steps ahead and come at it a completely different way."
This story, "9 Secrets of Getting Stuff Done in a Big Company" was originally published by CSO.