Maksim Kabakou - Fotolia
Security Think Tank: Business needs to see infosec pros as trusted advisers
How can security professionals communicate effectively with the board and senior business leaders – what works and what doesn’t?
Cyber security is top of mind for boards and senior business executives, yet security professionals find themselves hard-pressed to get the message across.
Getting the message across is critical not only for the success of the organisation’s security initiatives, but also for its overall security posture. It can determine overall business success or failure in today’s era of dynamic and evolving technologies, such as the internet of things (IoT) and machine learning, and regulations such as the EU’s General Data Protection Regulation (GDPR).
Both parties share the same objective, but often seem to be approaching the matter from opposing sides of the chasm. Isaca research indicates that a major issue facing CISOs is how they communicate security to boards and other senior executives.
The correct balance lies between relaying the right amount of information and not indulging in the usual mantra of fear, uncertainty and doubt, and fostering the right working culture.
The first issue clouding communication between security professionals and the board or senior business leaders is the misunderstanding that IT risk is separate from business risk. Nothing could be further from the truth, especially considering that in most organisations today, the separation between what is IT and what is business is hard to identify because technology is the backbone of everything the business does.
The second issue relates to how the message is packaged. Is the language full of technical jargon, or is it simple to understand and gets the message across in business terms? Does it highlight the loss to the business in terms understood by the board and senior business leaders?
Take the example of when business downtime is required when a patch needs to be applied. Instead of talking in terms of the technical threats and the outcomes of poor patching, security professionals would be more effective explaining it in terms of loss to the business, such as lost opportunities or losses from an attack that may occur because of the unpatched status.
The third issue is: what metrics should we communicate with? Business always speaks in quantitative terms because numbers either directly or indirectly – such as when manipulated for reporting – paint a vivid picture for business progression. Often, security professionals report metrics and data that make sense to them, but do not translate well into business metrics, which is what the rest of the organisation understands well.
The final and overarching issue that clouds effective communication between the business’s board and security professionals is the lack of a relationship between the security professionals and the rest of the business. The absence of a robust working relationship means there is no trust between the two.
Often, the business thinks of security as a business cost, although essential, and not a facet that fosters innovation, growth and success. To unravel this misconception, the board must ensure that actions and resources are provided to ensure that all is done for the security team in full spirit.
This means the security professional will be provided with the necessary audience so that he or she can communicate freely and openly without fear of being penalised. An appropriate culture also means greater understanding between boards and security professionals, so that implementation of security-related actions will be understood as aiding the business, rather than impeding progression and innovation.
Read more from Computer Weekly’s Security Think Tank about how infosec can communicate with the board
The next step in aiding effective communication is to establish a common language for communicating within the organisation to discuss risk and other security-related matters. For this to work, all stakeholders must have a shared understanding of the discussion, preventing misunderstanding and allowing open discussions on topics that are typically thorny. A commonly understood language eliminates the need for jargon and the misunderstanding it can bring.
A common language provides the added benefit of connecting IT risk to business risk, thereby demonstrating to the organisation the need for effective implementation of necessary actions by IT to protect the business. When business risks and IT risks are connected, metrics are established that talk to each other, and are translated easily from an IT perspective into a business perspective.
This means that when IT indicates the need for a certain budget for end-point protection or staff training, for example, it will be easy to translate this into money terms, enabling the board and business leaders to understand the conversation in business terms.
Also, an open working relationship between IT and business translates into early and effective security implementation. This means security is involved in the discussion at an early stage, from the design phase, thereby reducing the cost of security by several factors.
Involvement in the design phase translates into a security approach that embeds security into processes and solutions rather than as an add-on. The business treats the security professional as a trusted adviser working towards common goals, rather than as an adversary working at cross-purposes. This allows all parties to benefit from the relationship and communicate collaboratively.
Overall, a better culture and working relationship between the board and security professionals opens multiple avenues for effective conversation. A better working relationship between the two sides of the business will bridge the misconception that IT risk is separate from business risk. It will also foster the right environment to include security as a key stakeholder in wider business policies and will, ultimately, create an open conversation that reduces alien metrics and industry jargon.