Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
10:30 AM
Andrew Storms
Andrew Storms
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How To Talk About Security With Every C-Suite Member

Reframe your approach with context in order to get your message across.

Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful.

You and your department may believe that you’re conveying clear, accurate, and valid arguments for why the company needs to devote more of the budget toward information security. But your audience only sees metrics that are too technical for them to understand and strange graphs that display complicated trends.

In other words, you’re failing to contextualize your data into terms that resonate with leaders who work outside of IT.

Context Is Key
In a room full of IT professionals, claiming that you’ve successfully addressed all hosts with a Common Vulnerability Scoring System (CVSS) score of 5 or above will draw a round of applause. In a room full of C-suite leaders, however, this same fact without any additional context will only draw confusion.

When speaking with leaders from across the business, it’s important to remember the common goal you share: enablement. In your case, by assessing the risks your company faces, balancing them with the potential costs of a breach, and making security investments accordingly, you’re enabling every department to function and thrive on a day-to-day basis.

You need to make it clear to your audience—in terms they can relate to—how your team is directly contributing to this universal goal. Rather than presenting industry-standard metrics without further explanation, contextualize your findings by showing their net value. Explain exactly why you’ve chosen to present this metric, and describe exactly how addressing hosts with a 5-or-higher CVSS score directly enables the whole company.

Not every member of the C-suite understands information security, but everyone understands risk. Day in and day out, your fellow leaders conduct countless risk assessments when making high-level decisions—so why shouldn’t risk analysis play a key role in the conversations you have with them?

Similar to how insurance companies use actuarial tables to assess risk and make smarter decisions, equip your audience with necessary background details that lead to informed conclusions. Measure the risk liability they’re taking on by not protecting certain assets, highlighting the company-wide value of the systems and data you’re seeking to protect as well as the implications of a potential breach.

“Measurement” is a core principle of lean security—an approach every modern company ought to take when protecting its digital assets. But keep in mind that measurement requires context in order to be understood by key stakeholders across every department. The greatest security metrics in the world mean nothing to your C-suite without a clear explanation that includes why you’ve chosen to present this data, how these numbers relate to risk, and why acting on your findings will lead to enablement.

Reframe Your Approach
Adding much-needed context to your metrics provides these benefits to you and your department:

  • Strategic Investments: Once you contextualize your data and clearly show how your department’s actions are better enabling the entire company, the rest of the C-suite will see the true value of your existence. Instead of thinking that your team is a group of people that sits in a silo, they’ll understand the daily impact you have on every single department. Therefore, they will be more willing to support you when you ask for additional funding and investments in security systems and tools.
  • More Trust and Credibility: Fostering a deeper understanding of how information security contributes to the overall well-being of the company will change the way other leaders interact with you. Rather than thinking your greatest contribution to the business is deploying patches, they’ll see you as a key resource when it comes to risk assessment and deploying high-level decision making.
  • Professional Fulfillment: Information security is a profession with a notoriously high level of turnover, mainly because of the reason I felt compelled to write this article: It’s just so difficult to convey your contributions to the rest of the company and get other leaders on board with your mission. Thanks to the trust, credibility, and respect you build through your revamped communication style, your job will feel much more fulfilling, and your footing as a company leader will be cemented for years to come.  

There’s no question that information security involves highly complex technical language and metrics, but that doesn’t mean you have to use only these terms when communicating with your senior-level cohorts. Build company-wide understanding around security by adding big-picture context to your metrics, and reap the rewards of trust, support, and career happiness.

Related Content:

Andrew Storms serves as the vice president of security services at New Context. He has been leading IT, security and compliance teams for the past two decades at companies like CloudPassage, nCircle and Tripwire. Storms' advocacy on IT security issues has appeared in CNBC, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).