In many projects I find that companies and leaders don’t have a good understanding of the goal of their projects. I use the statement that ‘the reporting is the goal’ and get sideways looks from people. From the management era of you can only succeed at what you can measure, I agree to a large extent. When you are starting a security project you should know what success will look like, and hopefully you should be able to measure that before you start. ‘We’re going to understand the layout of the network and update that understanding weekly’ looks very different from ‘we’ll protect assets from intrusion’.
The issue with most projects is that they don’t have a clear goal and lacking that there is no way to prioritize work. Understanding what the payoff is for a project up front is what makes the project workable. Most people today are swamped with work, more than any two people could complete. What that means is they will have to prioritize the work they do and they are going to spend time working on the project that provides the best payoff to them.
The reality of this is you don’t simply need to sell the project to management, you need to sell the project to the people who are going to make it happen. The best part is that these people are the most discriminating individuals you might have to sell ever. They need to believe that the success of the project means a better life, easier work, or more autonomy for them.
Most IT folks are lazy, the kind of lazy that will put in 40 hours of overtime to ensure that a 5 minute weekly action is automated. They want to see the right thing happen but that also means fewer problems and less work on their part. What this buys you if you focus it correctly is a more regular environment and a regular environment is a bonus for security. If these folks understand what the project is going to do for them, they will work tirelessly to advance the project.