Four Ways to Convince Execs a Web Security Gateway is Essential
How do you secure executive buy-in for web security gateways? Several information security professionals have asked me this question over the years. Many walk into a new environment and realize internet traffic is not filtered or going through any type of proxy. Obviously, these practitioners understand their network needs a web security gateway solution but they need assistance with how to accurately and effectively communicate that risk to their executives.
First, get their attention. Pull stats from our 2013 Threat Report. Use a shocking industry-specific or actual in-house example to explain the danger that malware poses to your organization. Don't have one? Go to the Privacy Rights Clearinghouse website and conduct a data breach search. If you have an internal example of malware wreaking havoc or data loss-use it.
Does your company model itself after another company? If so, call their IT security team, network and ask them how they made their case. Sometimes all it takes is saying, "We asked [insert revered company name here] and they use..." Also, quantify how much time you and your IT teams are spending dealing with help desk requests for malware on workstations, viruses on the network and on re-imaging machines. Describe how you could be spending your time helping the business move forward.
Second, clarify that internet security gateways have evolved over the years from simple URL filtering to providing preventive measures. They protect networks from threats such as malware, being part of a bot network and ultimately data loss. Many executives still perceive a web security gateway as a simple HR productivity tool, as they did back in the '90s. Given this perception and liberal internet surfing policies, it is no wonder many executives want to avoid blocking websites based on HR policies.
Web security gateways have progressed from primarily an HR tool to an IT tool. Capabilities extend beyond a HR productivity tool and prevent malware while protecting their network. They also provide factual statistics to management by measuring improved and increased system availability.
Third, define in simple terms how malware utilizes command and control (CnC) to communicate back to a central set of servers on the internet. With a web security gateway, IT can stop this CnC server communication, which can drastically reduce the risk to the enterprise. CnC communication is used in data theft and bot network creation. Malware, such as the many Zeus variants, steal sensitive data such as PII and credit card data. Cybercriminals also use other types of malware to steal intellectual property (IP) from companies. Many DDoS attacks against companies leverage the bot network they have amassed with their malware and CnC tactics.
Finally explain that if you don't protect your information, someone will steal it. Implementing a proper web security gateway gives IT the opportunity to stop data loss and keep the company from losing revenue, market share and positive brand perception. To remain economically successful, companies need to protect their intellectual property from theft and possible extortion. Also, it will free up IT shop resources, allowing more time to be devoted to business enabling projects.
By understanding the importance of IP to the company, you can start to build out threat models that executives can understand. It will ultimately convince management that they can allow liberal use of the internet, but it is imperative the company protect IP as well as prevent malware from attacking the workstations.
Have any tips on how you secured executive buy-in for web security gateways? Feel free to leave a comment below.