Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
10:30 AM
Andrew Storms
Andrew Storms
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How To Talk About Security With Every C-Suite Member

Reframe your approach with context in order to get your message across.

Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful.

You and your department may believe that you’re conveying clear, accurate, and valid arguments for why the company needs to devote more of the budget toward information security. But your audience only sees metrics that are too technical for them to understand and strange graphs that display complicated trends.

In other words, you’re failing to contextualize your data into terms that resonate with leaders who work outside of IT.

Context Is Key
In a room full of IT professionals, claiming that you’ve successfully addressed all hosts with a Common Vulnerability Scoring System (CVSS) score of 5 or above will draw a round of applause. In a room full of C-suite leaders, however, this same fact without any additional context will only draw confusion.

When speaking with leaders from across the business, it’s important to remember the common goal you share: enablement. In your case, by assessing the risks your company faces, balancing them with the potential costs of a breach, and making security investments accordingly, you’re enabling every department to function and thrive on a day-to-day basis.

You need to make it clear to your audience—in terms they can relate to—how your team is directly contributing to this universal goal. Rather than presenting industry-standard metrics without further explanation, contextualize your findings by showing their net value. Explain exactly why you’ve chosen to present this metric, and describe exactly how addressing hosts with a 5-or-higher CVSS score directly enables the whole company.

Not every member of the C-suite understands information security, but everyone understands risk. Day in and day out, your fellow leaders conduct countless risk assessments when making high-level decisions—so why shouldn’t risk analysis play a key role in the conversations you have with them?

Similar to how insurance companies use actuarial tables to assess risk and make smarter decisions, equip your audience with necessary background details that lead to informed conclusions. Measure the risk liability they’re taking on by not protecting certain assets, highlighting the company-wide value of the systems and data you’re seeking to protect as well as the implications of a potential breach.

“Measurement” is a core principle of lean security—an approach every modern company ought to take when protecting its digital assets. But keep in mind that measurement requires context in order to be understood by key stakeholders across every department. The greatest security metrics in the world mean nothing to your C-suite without a clear explanation that includes why you’ve chosen to present this data, how these numbers relate to risk, and why acting on your findings will lead to enablement.

Reframe Your Approach
Adding much-needed context to your metrics provides these benefits to you and your department:

  • Strategic Investments: Once you contextualize your data and clearly show how your department’s actions are better enabling the entire company, the rest of the C-suite will see the true value of your existence. Instead of thinking that your team is a group of people that sits in a silo, they’ll understand the daily impact you have on every single department. Therefore, they will be more willing to support you when you ask for additional funding and investments in security systems and tools.
  • More Trust and Credibility: Fostering a deeper understanding of how information security contributes to the overall well-being of the company will change the way other leaders interact with you. Rather than thinking your greatest contribution to the business is deploying patches, they’ll see you as a key resource when it comes to risk assessment and deploying high-level decision making.
  • Professional Fulfillment: Information security is a profession with a notoriously high level of turnover, mainly because of the reason I felt compelled to write this article: It’s just so difficult to convey your contributions to the rest of the company and get other leaders on board with your mission. Thanks to the trust, credibility, and respect you build through your revamped communication style, your job will feel much more fulfilling, and your footing as a company leader will be cemented for years to come.  

There’s no question that information security involves highly complex technical language and metrics, but that doesn’t mean you have to use only these terms when communicating with your senior-level cohorts. Build company-wide understanding around security by adding big-picture context to your metrics, and reap the rewards of trust, support, and career happiness.

Related Content:

Andrew Storms serves as the vice president of security services at New Context. He has been leading IT, security and compliance teams for the past two decades at companies like CloudPassage, nCircle and Tripwire. Storms' advocacy on IT security issues has appeared in CNBC, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...