I come across this barrier all the time. Basically, you have to "sell" upper management on information security in general. To do this, you need to understand the psychology of "sell." This is not focusing on fear, uncertainty and doubt, but rather an understanding that the management has three options: buy into your recommendation; buy into another recommendation; or not buy in at all. Unfortunately, too many managers are not buying in at all, usually because the people that are pushing security are not adequately prepared or presenting their case in the right context.
A good security "sale" takes three things: show that you understand the business and its needs/goals, rather than just your own technical environment; establish your credibility and generate trust so management can be confident in your recommendations; and then show value and be able to demonstrate positive results from what you're doing. Ongoing progress updates and storage security reports to management can help to maintain a regular dialog on security issues.
Present ideas casually at first. For example, mention potential risks or highlight prospective tools on an informal basis -- this can help managers buy into ideas later on.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.
09 Mar 2007