Corporate buy-in is vital in securing the necessary resources, ensuring security initiatives "stick", fostering enterprise-wide co-operation and getting things done quickly, said Budnik.
However, it is a sorely contested resource that sees security professionals competing with other company divisions, such as marketing and auditing, for the limited devotion of stakeholders, he continued.
To gain support, Budnik advised security professionals to "get a shared understanding of a problem before attempting to solve it". Often, said Budnik, executives are put off security initiatives because they form obstacles to business priorities or do not synthesise well with corporate strategy.
To understand management's concerns, constraints and priorities, Budnik suggested security staff identify and build relationships with people with a working knowledge of these issues, and read through corporate annual reports.Budnik also suggested offering training and awareness sessions to high-ranking executives, to gain access to the right forum. "It's not the presentation that matters. It's you sitting waiting to talk to that crowd and listening to what they have to say."
Building relationships with competing departments to pool resources and work together towards common goals can also be invaluable, he added.
Another human element of security optimisation Budnik discussed was the psychology of choice, advising security professionals to be wary of biases such as selection bias (seeing one's own choice as a dominant standard), status quo bias (resistance to change), and "the bandwagon effect" (wanting to adopt an approach simply because it is popular).
Finally, Budnik advised security staff to adopt a "just say yes" approach, allowing management the features they request and building security around these. "If there's a real business need, it's going to happen anyway, you're just not going to know about it."
Our comments policy does not allow anonymous postings. Read the policy here