Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful.
You and your department may believe that you’re conveying clear, accurate, and valid arguments for why the company needs to devote more of the budget toward information security. But your audience only sees metrics that are too technical for them to understand and strange graphs that display complicated trends.
In other words, you’re failing to contextualize your data into terms that resonate with leaders who work outside of IT.
Context Is Key
In a room full of IT professionals, claiming that you’ve successfully addressed all hosts with a Common Vulnerability Scoring System (CVSS) score of 5 or above will draw a round of applause. In a room full of C-suite leaders, however, this same fact without any additional context will only draw confusion.
When speaking with leaders from across the business, it’s important to remember the common goal you share: enablement. In your case, by assessing the risks your company faces, balancing them with the potential costs of a breach, and making security investments accordingly, you’re enabling every department to function and thrive on a day-to-day basis.
You need to make it clear to your audience—in terms they can relate to—how your team is directly contributing to this universal goal. Rather than presenting industry-standard metrics without further explanation, contextualize your findings by showing their net value. Explain exactly why you’ve chosen to present this metric, and describe exactly how addressing hosts with a 5-or-higher CVSS score directly enables the whole company.
Not every member of the C-suite understands information security, but everyone understands risk. Day in and day out, your fellow leaders conduct countless risk assessments when making high-level decisions—so why shouldn’t risk analysis play a key role in the conversations you have with them?
Similar to how insurance companies use actuarial tables to assess risk and make smarter decisions, equip your audience with necessary background details that lead to informed conclusions. Measure the risk liability they’re taking on by not protecting certain assets, highlighting the company-wide value of the systems and data you’re seeking to protect as well as the implications of a potential breach.
“Measurement” is a core principle of lean security—an approach every modern company ought to take when protecting its digital assets. But keep in mind that measurement requires context in order to be understood by key stakeholders across every department. The greatest security metrics in the world mean nothing to your C-suite without a clear explanation that includes why you’ve chosen to present this data, how these numbers relate to risk, and why acting on your findings will lead to enablement.
Reframe Your Approach
Adding much-needed context to your metrics provides these benefits to you and your department:
There’s no question that information security involves highly complex technical language and metrics, but that doesn’t mean you have to use only these terms when communicating with your senior-level cohorts. Build company-wide understanding around security by adding big-picture context to your metrics, and reap the rewards of trust, support, and career happiness.