Maksim Kabakou - Fotolia

Security Think Tank: Infosec needs to avoid FUD and keep it real

How can security professionals communicate effectively with the board and senior business leaders – what works and what doesn’t?

According to the 2017 Information security workforce study, employers are looking for infosec professionals with strong communication skills as well as analytical skills. But there is a gap between employer and candidate expectations, as this communication requirement was not seen as a priority for the infosec professionals responding to this study.

This neatly sums up an issue that many businesses and organisations are facing – business infosec requirements are not being fully met, and in this case, it is not a technical issue.

With this situation running in the background, many infosec professionals are feeling under-represented in the boardroom and that their senior directors do not understand the challenges and fiercely complex threat landscape they are being expected to navigate. Often, they are navigating this landscape with smaller than optimum teams and are struggling to retain skills, while not receiving, in their opinion, the senior management support and leadership they need.

However, according to a survey by Osterman Research, boards are saying they don’t understand the security reports they receive and both groups agree that risk is not always reduced as a result of their communication.

The same survey shows that 93% of the board members who responded indicated that some form of action will be taken against infosec professionals if they do not provide useful, actionable information. Given the shortage of skills in the infosec arena, this is a bold position.

So it is fairly clear that we have a pronounced and chronic communication problem and that the highly skilled infosec people that we have, and are recruiting, need to up their communication game. Boards are not off the hook either, because if they are communicating to their infosec people effectively, then this situation would be starting to self-correct, but it clearly isn’t.

The key question, when it comes to infosec professionals not communicating, is: do we mean can’t or won’t? If the infosec community is serious about getting more infosec professionals into the boardroom, then they must do more of the kind of reporting that boardrooms can actually digest and act upon.

This is something I started questioning a few years ago and, as a communicator in security, I felt that communications people could potentially be part of the solution. Last year, I was invited to speak at an Institute of Information Security Professionals (IISP) masterclass on this topic.

My goal in starting this conversation is to improve the understanding not only between infosec and the board, but also between infosec and the business at large. Not only could infosec teams use their comms specialists to help build boardroom reporting, communications and presentations in business language, but they could also be helping to identify key communicators in business units across the organisation. 

In this way, the lexicon of risk and security would become an embedded part of understanding and practice at all levels of the business, including the board.  

What works and what doesn’t?

The Osterman research tells us that boards find little value in complex cyber security reports. Respondents cite failure to identify actionable insight and too much “cyberspeak” as key barriers to interaction with security and also risk reduction. If the language of your report dents the self-esteem of the recipient, it will fail. Your board knows you are well informed and knowledgeable – there is no need to prove it with your interactions.

So keep it simple and keep it actionable, whenever possible. Assume that they know little about the topic, but never imply that. Simply boil down key points.

So much external marketing communication will already be focused on your senior business leaders. Following the full implementation of the EU’s General Data Protection Regulation (GDPR), much of this communication has been bsed on fear, uncertainty and doubt (FUD). This has not helped the cause of infosec/board relations in many ways, although it has helped to develop the beginning of a lexicon: avoid FUD and keep it real.

Use the powerful language of risk and finance. Find out what the board is motivated by – increasing or protecting revenue, for instance – and relate your messaging back to that. Talk about the organisational risk appetite and draw the two together. In terms of reporting, don’t supply spreadsheets or security software outputs unless you know that is what they want, and make sure you have drawn the key conclusions from them and can communicate them simply.

Go easy on the acronyms, keep the tech talk to a minimum, and focus on function and outcome.

To help make sure you still get your point across, enlist the support and advice of your comms professional. Explain what outcome you are seeking and be prepared for questions. You will also need to explain that you want your report to be FUD-free.

Find out how departments such as finance and human resources report, and see if their reporting style can be adapted, because having a report that looks and feels familiar will engender empathy and interest more quickly, as well as help you to discipline your own thoughts and processes in creating the output in the first place.

Infosec reporting must be consistent, so the communication style needs to be repeatable and transportable. If it is good enough, it will be shared and then you will know you are getting it right. Create templates with the collaboration of your comms team and be prepared to tweak them.

Even if you haven’t collaborated with communications people in creating your report, make sure you review it with them before you present it to the board. If they say “so what?” to your points, then there is a loop that needs closing, an outcome you have not outlined, or a possible consequence that really matters has been missed.

Read more on IT risk management