One of the biggest challenges we face with securing our networks and systems is that many businesses view cyber security as an IT problem and not a business problem. However, when you consider how dependent businesses are on IT and, more importantly, on the information on those systems, it’s obvious that businesses need to realize cyber security really is a business issue. As information security professionals we need to realize that helping business leaders understand the threats posed by cyber security is a challenge that we need to face in order to keep our systems secure.
To effectively communicate with the business we must learn to gain the trust of business leaders. Too often we are seen as the people who stop or block initiatives because of security concerns, or the business only see us when there is a security problem. Both scenarios result in security being viewed in a negative light.
To address this we must be more proactive and look at how security can help the business reach its goals. Regularly meeting with senior management within other departments to see what their challenges are could enable you to identify ways to meet those challenges while also gaining an ally at the senior management table. For example, a discussion with the head of sales may highlight the challenges his/her team have in accessing key corporate client management systems. If as a result of this information you can proactively identify a secure way to enable the sales team to do this, then this would positively impact the company’s bottom line and also how the security function is viewed. So developing better relationships with other business managers is a key step in establishing good communications with the business.
The next issue to address is how we communicate with the business. Many of us in security roles have come from technical backgrounds and while this is good as it enables us to better understand the threats we face, it can impact negatively on how we communicate with others. Too often we rely on technical jargon, the dreaded TLAs (Three Letter Acronyms), or the latest buzzwords to spice up how issues are presented to senior management. However, by using too much technical jargon we can “blind people with science” to the extent that they do not understand what the actual message is that we are trying to communicate. So instead of presenting the latest threats in technical terms and jargon, we should learn to express issues in plain English so they can be better understood.
Telling senior management “there is a SQL injection vulnerability that exposes our primary tables in our customer databases” does not have the same impact as saying “a security defect in our website could allow criminals to access all our customer records leading to damage to our reputation and potential legal and regulatory issues”.
We also need to realize that everything cannot be a top priority. Businesses are not run and are not profitable by reacting to every emergency and trying to address every issue. Businesses look at issues, determine their potential impact on the bottom line (be that positive or negative), what needs to be done to manage the issue, and whether or not it is actually worth dealing with the issue. If as CSOs we run to senior management claiming every threat and issue is a top priority we will quickly be viewed as the boy who cried wolf all the time. To better engage the business in dealing with security issues we need to present them terms of risk that the business can better understand.
I worry about CSOs who claim lack of businesses understanding security is what is causing their security programs to fail. The CSO by definition is responsible for security in the organization, they are the one responsible for ensuring senior business people, and indeed every user in the organization, understands the importance of information security. If the CSO finds the organization is not responding to his leadership, then that CSO is the wrong person for that organization or indeed that organization may be the wrong one for the CSO.
At the end of the day being able to work with others is all about building relationships and relationships are based on establishing and maintaining trust. The most effective way to build trust is by clear and concise communication.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for several information security companies. He has addressed a number of major conferences, wrote ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules.