Management Buy-In - Part 1: Why You Need It

by Nigel, on 10/12/2018 11:02:00 AM

Every information security framework and “best practice” guide to cyber security states that you need “management buy-in”, but why is it important and what does it look like?

Management Support for Information SecurityManagement buy-in can be referred to by terms such as “top management support” or described as a need to allocate information security responsibilities to a senior member of management, such as a Chief Information Security Officer. Whichever way it is stated, the requirement means that those in the organisation that have strategic visibility over the entire organisation also have a say in the information security priorities.

The mostly important reason for management buy-in is to make sure the security program meets the business needs. Organisational goals can include such things as high availability of services, maintaining reputation, being agile or ensuring confidentiality. The information security program must work towards these business needs to provide value and justify its existence.

Secondly, organisational risks, including information security risks, are the responsibility of senior management. A good management team will need to understand the risks they are accepting so they are comfortable with their possible level of exposure. If management do no have buy-in, it is quite possible they do not understand their risks are so are “flying blind”.

At a more pragmatic level, resources are allocated by senior management. If a security program is not provided with sufficient staff, time and money then it will not be able to carry out its objectives and provide the level of protect required.

Now that we have established that management buy-in is important, how to do you tell how your organisation is faring? The following table shows some ways to identify if you currently have management buy-in. If you can relate to several of the statements in the left column, then you most likely do not have a sufficient level of management buy-in. 


Poor Management Buy-In

Good Management Buy-In

Security requirements flow from technical staff and vendors up to management.

Security program driven by business goals which then flow detailed requirements down to implementors, service providers and vendors.

Lack of communication between management and those that design and implement the security measures.

Regular communication between management and other levels in the organisation to ensure risks and activities are understood.

Staff do not understand their role in providing and supporting information security.

Information security roles and responsibilities defined, and appropriate training is provided.

Fragmented security program with poorly understood links between activities.

Holistic security program with all projects working towards a single security vision.

Poorly resourced or prioritised security activities, compromising the effectiveness of security measures.

Resources allocated according to priority and justified in terms of the business risk they address

Poor morale amongst security staff and a belief that management does not care.

Security staff understand how they are contributing to the success of the organisation.



Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates