How to Communicate Information Security Effectively with the Business – Learn to Speak Two Languages
Information security professionals use words like threat, malware, virus, and attack vector to describe the dangers to an information system. None of those words resonate with the business executive. Business executives understand and speak risk and profit. So, when an information security executive needs to communicate with a business executive, they must avoid the information security jargon that can shut down a business executive’s attention. Chief Information Security Officers, as well as other information security executives, must become bilingual. They must be able to communicate with the information security analysts and other professionals that work for them and they must be able to communicate with business executives like the CEO and the Board.
To an information security professional, as well as most IT professionals, risk is automatically a bad word. I do not know how many project meetings that I have attended where the risks were highlighted in red and presented as a danger. To a business executive, risk is simply another factor that must be evaluated before making a decision. Many of the business executives, with whom I have spoken, have stated that it is very difficult to make money without taking risks. This is one of the fundamental differences in viewpoint between business, and information security and IT. This difference causes many communication problems between these different components of an organization.
For example, when we did a risk assessment at my former agency, I would evaluate the findings to determine if I believed any significant risks exist. That evaluation was done with the help of the people who reported to me. We discussed compliance with the various information security frameworks that we were required to follow. We discussed any legal or statutory shortcomings. We discussed best practices. And, yes, we discussed threats, malware's, viruses, and attack vectors. We discussed mitigation methods to resolve these issues. We did whatever research that was required for the pricing of the solutions that we had discussed.
But, when I took these findings to the business executives, that was a very different conversation. I needed to present this information in terms of risks to the business. Will we be fined for noncompliance? Will this affect our ability to conduct business? I presented the risks along with the costs and impacts of my recommendations. I used business terms and discussed the impacts and risks to the business, not to IT and not to Information Security. It was not my place to accept the risk, that belonged to the business units. It was the business executives who needed to decide whether they were willing to live with that risk and the consequences or spend the money to mitigate the risk.
I would like to make one last point here. The Office of Information Security in many organizations is considered to be the “Department of No!” CISOs need to work to change this image. The Office of Information Security should be thought of as the people who help the business do the things that they need to do - but do it securely. We need to stop saying “No” and start saying “Sure, we can do it like this.” One way to accomplish this is to have Information Security involved in all project initiation meetings. Often a gentle nudge at the beginning of a project is enough to ensure project security. If you bring a project to me the day before “Go Live”, then I may have no choice but to say no. I have no idea if the project is secure or not. I have tried very hard to avoid that situation. Another way is to stay in contact with the business executives. Ask them what’s on their mind. Ask them about upcoming projects. Ask them what you can do to help them. It’s important that the business executives trust the CISO.
Wes Knight, Director of Business Development – Government Sector, Needling Worldwide