Many of the cybersecurity challenges that CISOs, CIOs, and business leaders face today are not actually technology-related, but rather are the result of breakdowns in communications.The fundamental reason for this is that too many enterprise security professionals think in terms of technology risks, while business users think in terms of business risk. And business leaders don’t always readily translate enterprise technology risk into what that means when it comes to risk to the business.
If security professionals want to succeed in securing their organizations and get the IT security budgets they need to do so, they must be persuasive and get their message across in ways business leaders care about.
Poor communication of technical fragilities and risks
Certainly, it’s no surprise that security professionals think in technical terms. When they see a SQLi vulnerability, they see a vulnerable database or an at-risk application. When they are looking at mitigating insider threats, they think of ways to ensure that people only have access to the data and information they need, and that all data access is logged and application usage is properly monitored. These are all absolutely legitimate ways to look at these risks. But business managers look at them from a different angle: they want to know how data are put at risk, what that may mean to the business, and how business services may be disrupted. What is the probability of the risk becoming real? How much is it going to cost?
Communicating in terms of technical fragilities and risks, and expecting business leaders to convert those risks to business risks, is one of the most common reasons – despite increasingly skilled and knowledgeable attackers looking to steal as much data of value as they can – why security teams don’t always get the support from the business that it should.
Another common challenge here, largely because security professionals speak in terms that business managers don’t understand, those managers won’t automatically trust what is being said. This causes security professionals to grow concerned and even eager to make an impact and get the results they want. Then, they increase their use of FUD (fear, uncertainty, and doubt) and are even more likely to lose more trust. Not a good cycle. The first rule is to gain credence with the enterprise’s business leaders and the second rule is to keep that trust. That means to stay away from FUD and anything else that could damage the level of trust gained with executives over time.
What can security teams do to gain and maintain that trust?
Security pros can obtain and maintain credibility by offering objective advice that can help the executives make the best business judgments they can about the risks the organization faces. While it’s good to use information about the types of threats that are out there, they should avoid being Chicken Little always predicting the end of the world because when it doesn’t happen, they will lose credibility.
In an interview for CSOonline, I discussed with then CISO at Renton, Washington-based Providence Health and Services Eric Cowperthwaite why IT security often falls short of what it wants to achieve. He summed it up well:
They [business leaders] want to hear from you about how preventing malicious access is an issue that they need to deal with. They want to hear how you can actually reduce the operating expense of the company related to security incidents by doing X, Y, and Z. Remember, a security incident hits operating expenses and it's unplanned, which means that it comes directly out of net operating income. If you have a security incident that is almost certainly going to impact your quarterly earnings statement, your CFO very much cares about that. So if you can show your CFO that last quarter these are the security events that happened, and here's how much they cost, and they were a hit to net operating income, you'll have his or her attention. He/she also will then be more willing to hear about things you are doing to reduce the costs of such breaches in the future. And if you do need more tools or organizational changes to get it done, you've just made a strong business case.
Gaining credibility, becoming a trusted advisor to the business, and discussing threats in business terms to executives, all will help you to eventually secure the budget you need.
Another key here is to align the IT security team with IT, and especially new IT initiatives, so that security advice can be positioned as consultative and as a way to enable new business efforts that are technology-driven. As the old security saying goes, the brakes on a car aren’t there just so the car can stop; they are there so that it can move safely at speed.
So, look for opportunities to help the enterprise achieve what it needs to do with mobile, ecommerce, Internet of Things (IoT), and big data analytics. Develop ways the enterprise can embrace these technologies without increasing risks to unacceptable levels, and demonstrate how different approaches to security will result in higher or lower levels of business risk.
All of this will enable you to detail security risks and controls, and how they relate to business trade-offs. That will go a long way to forging better lines of communication with the business rather than talking in technical terms or trying to frighten executives with FUD.