Recently I have been working with a number of customers who are finally getting it, they are getting that Information Security is actually important and they should pay attention to it. Much of this has been in response to inquiries from their Executives or Board of Directors. They are asking more questions as high profile hacks are on the nightly news and reports are speaking to the additional risk that is out there such as the Symantec Internet Security Threat report. In the 2012 ISTR the manufacturing sector was the most attacked in 2012, this is a change for many of these companies as in the past the worry was only about Nonpublic personal information.
Many if not all security professionals came up through the technical side of the house, we all really enjoy discussing malware and installing the latest security tool or learning about the latest vulnerabilities. I can guarantee the majority of the Boards of Directors are far less technical than you and speak a different language. While your responsible for protecting the data of the company they are responsible for maximizing shareholder equity. Thus when giving an update don’t bore them speaking about this new web filter or XYZ vulnerability will do exactly that, instead speak their language.
So how do we speak in the language of the board? For regular updates, hopefully these are annually or sooner speak to the risk to the business at a high level then break it down by business unit if possible and in terms of dollars at risk. If you have incomplete information provide a confidence level. If you feel the risk is too high or confidence level too low, provide solutions at a high level with budgetary numbers to lower the risk or increase your confidence or speak to your plan that has already been approved. Track the risk overtime and chart it to hopefully show improvement. If risk does rise this is a great conversation to why and what were the business drivers. Did the business decide not to implement recommended controls? Remember these are the individuals that can get you additional resources so ask for it.
Speak to major initiates at a high level and how they enable the business to make more money, good examples of these could be allowing the mobile workforce to use IPads to better service customers in the field or allowing online transactions. Remember they are business people and we need to speak to them in their terms. When you have the business conversation they will view you in a different light, you will provide them the information they need to do their job and hopefully you get the resources you need. Now get out there and start working on those updates.
Cross Posted from the Symantec Cyber Readiness & Response Blog
Copyright 2010 Respective Author at Infosec Island