⁰⁰⁰⁰

Security is already sold to senior management by nature of regulations, fines or worst case imprisonments. If a company already has a IS policy mandate, we have to simply present them of what we are doing today to protect their assets and what we aren’t doing at all from a policy and industry frameworks point of view. Present them the threat and consequences for not getting it done. Show some security index, be prepared to share the cost of not doing vs. doing, so they cam make informed decisions of allocating resources.

@@basictalent1 That might be true on paper, but not all fields are regulated and smaller business can sometimes be exempt from certain regulations (like in the EU, If your company falls within one of the designated branches but has less than 10m revenue and/or less than 50 employees, you are still exempted from the NIS directive). I'm of the opinion that security is sold to a senior management when it actively engages with the topic. Just having a policy because everybody has one is not my definition of a management sold on security. A large part of the job as a practitioner in every rank (security engineer, information security officer, ciso, whatever) is creating awareness and educating people. So security is sold to management when it is a point on the agenda and decisions are actively and consciously being made (and that can include the decision to find other things higher priority than working on security). Because it is a human tendency to prioritise instant gratification on tangible things, security does need to be sold on a continuous basis. Now I do agree that you simply have to present what it is the company is doing and is not doing, what this means for their business in a fairly and accurate way (or at least as accurate as the information you have allows you for). And what the consequences for not getting it done can be within the context of the risk appetite. But management needs to understand that they are responsible for security, you are just the messenger and facilitator. Depending on the maturity of your management in question, you need to educate them and "sell security". It is up to management to make the calls and sign off on things. As a practitioner that is what you have to live with.

Well done on totally missing the point. The video is about talking to senior leadership. You can stroke yourself all you like to the industry definitions of risk in your technical team meetings, but when you have 10 minutes with the board, if you waste 5 minutes explaining the threat * vulnerability * asset value formulas or whatever - game over. You've lost. You'll have bored them to death and they'll get their cyber security advice from their CEO buddies on the golf course based on what that guy's company is doing.

I agree with you here. As soon as he focused on threats not vulnerability I stopped watching. Threat without a vulnerability there is no risk plain and simple.