In our previous post we talked about the importance of the role of the CISO when it comes to helping organizations to maintain solid security programs and maintain alignment between what an enterprise decides its security posture should be and the personnel, technical, and process controls that need to be in place to enforce that policy.
And as we discussed, one of the biggest challenges in getting there is getting executive leadership onboard. This is essential because without such executive sponsorship of the security program their not only won’t be the budget in place to get done what needs to be done, but there will not be the will needed to make the difficulty decisions that are required to keep people, systems, and data secure.
This is more important to businesses today than ever, especially as more and more of the business becomes digitized, deploys more apps, and generates more data at ever increasing speed there is greater digital attack surface than ever before. This means most every company today is digital and runs on software. There aren’t many executives who’d disagree with this, or disagree with the fact that this data needs protection.
So why is it so hard getting executive buy-n and keeping the security program aligned with the business. One of the reasons is information security professionals are often their own worst enemy when it comes to communicating the nature of risks. Most are technologists and are comfortable talking in terms of technical flaws and vulnerabilities, but don’t do enough to translate those technical risks to potential business risks. If security professionals want executive leadership to hear what they are saying, information security has to be communicated in business terms.
After years of interviewing CISOs, CIOs, CEOs, CMOs, security analysts, operations people, developers, and others in the enterprise I’m certain that communication problems among these various groups is one of, if not the, most pressing challenge.
When explaining information security risks, what does it mean to explain them as business risks? If you are convincing an investment in building automated security and QA testing in the development pipeline, for instance, the primary focus would be on software flaw reductions. While obviously reducing security related and quality related software flaws the primary interest of business execs will be in the demonstration of how such a program will reduce risks of a data breach, improve application update, and reduce costly software fixes at some later time.
This will help to secure budget more than anything else. Well, that’s not entirely accurate: a nasty data breach will secure the most security budget but that’s not a path most want to have to endure.
Finally, communicating isn’t only about speaking with senior leadership. It’s also about leaning how to help various lines of business and units be more secure. What are their pain points and how can the security program help? Perhaps the younger employees want to be able to use more types of devices, or cloud services. Sometimes these things may not be possible, depending on the job role. Other times, however, it’s often possible to provide workers the tools and services they want in a secure way.
And that’s a way, by helping business leaders and managers get what they need (but securely), to not only be heard by business leaders but get them to proactively seek your advice.