Maksim Kabakou - Fotolia

Security Think Tank: Frame cyber security impacts in business contexts

How can security professionals communicate effectively with the board and senior business leaders – what works and what doesn’t?

In its simplest form, the role of security professionals is to reduce the risk faced by the organisation. Achieving this goal extends beyond technical skills – in particular, it requires those in charge of security operations to “onboard the board”, with a key execution tool being effective communication.

As with many professions, there can be a tendency for IT security experts to lean on the in-depth knowledge required for their job and focus extensively on the more detailed elements of risk management and IT solutions. However, this is often a barrier to effective discussions at board level, where brevity and a focus on objectives are key.

The following checklist aims to ensure both IT security and senior management are equally engaged in the business of risk management.

Know the audience

Key to communication of any kind is to understand who is listening and their touchpoints so that discussions are in a language that will resonate with them. 

For senior business leaders this usually means avoiding being too “techie”. While some may be familiar with the technical aspects and will respond to the details positively, there is danger that the issues will be regarded as trivial for those who do not, and may therefore react by pushing back on the inability of IT to substantiate the issue. 

For example, going into significant details on networking protocols and router configuration to executives who don’t need this level of specification will not achieve results.

Focus on business risk

Security issues need to be framed in a way that details the potential risk to the business. It’s important to highlight that the problem extends far beyond the walls of the IT department and can impact the organisation as a whole. 

Most risk boils down to the fundamentals of finance in some form, so putting arguments into terms of the financial ramifications can help to illustrate conceptual risk to an audience that, because security is not an everyday activity, don’t have to fully understand the technical details behind the risks themselves.

Empower the business team

Outlining IT security issues in a way that is inclusive for business executives allows them to understand they have a role to play and can influence the outcome. This empowers them, rather than making security an IT-only problem. 

An IT issue, identified by the IT team which has also proposed an IT solution, can propagate the idea that IT needs to take sole responsibility for anything related to an organisation’s technical systems – reasoning that is counter-productive to the valid argument that the IT department should be regarded as business enablers, rather than just a maintenance function for problems.

Don’t drown the argument in details

While it is important to provide enough context to clearly articulate the security issue, too much peripheral detail is likely to alienate people and may result in them switching off and therefore missing the key pieces of information. 

In-depth data and proof points, while key to include, are best kept to appendices that support the executive summary of the argument.

Make it manageable

Having understood why the IT security solution is required, the desired outcome then needs to be shown as achievable. Achieving this can be helped by first presenting the future scenario and following up with details on the steps required to get there.

Alternatively, a more agile approach can be adopted, breaking overall activity into bite-sized chunks, rather than taking a big-bang approach.

Conclusion

Many board and senior executives are switched off by security concerns – not through a lack of appreciation of the importance of the issues, but because they feel ill-equipped to fully understand them. The more that security discussions are surrounded by technical jargon and complex language, the more ostracised the executives will feel. The overall result is a greater disconnect between those with the ability to make improvements and those with the power to commission those initiatives.

But if security professionals can make their case in language appropriate to non-technical audiences and frame the impacts in business contexts, it is far more likely that business leaders will understand, support and maybe even champion the required initiatives.

Read more from Computer Weekly’s Security Think Tank about how infosec professionals can communicate with the board

Read more on IT risk management