chapter  2
Selling Your Security Program to the C-Suite
WithJean Perois
Pages 22

In this chapter, I come back to the issue of credibility most security managers face when it comes to the decision-making level. I will consider both the case of the proprietary security manager, employed by the organization and traditionally reporting to a VP or CSO, and the case of the security consultant deployed to protect a group of expatriate workers in volatile environments. Both these security practitioners often have to face opposition from the management, which either finds the threats advanced by their security manager ludicrous, thereby denying credibility (and budget) to the security department outside of basic requirements (guard force, vehicles, a basic CCTV operation, and a symbolic access control system) or tries to transfer their responsibility for a decision to the security manager in case of crisis, emergency, or the need to trigger an evacuation plan (which should not be the case; most of the time the security manager or consultant works in an advisory capacity).

In this chapter I will also discuss the expectations of the executive management toward the security practitioner—how it should be and how it is often in reality—and I will hint at the traps the security manager should try to avoid. This is based on my experience as a security manager in a big organization as well as my experience as a security consultant deployed in unstable environments.