How To Talk About Security With Every C-Suite Member

Reframe your approach with context in order to get your message across.

Andrew Storms, VP Security Services, New Context

September 1, 2016

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful.

You and your department may believe that you’re conveying clear, accurate, and valid arguments for why the company needs to devote more of the budget toward information security. But your audience only sees metrics that are too technical for them to understand and strange graphs that display complicated trends.

In other words, you’re failing to contextualize your data into terms that resonate with leaders who work outside of IT.

Context Is Key
In a room full of IT professionals, claiming that you’ve successfully addressed all hosts with a Common Vulnerability Scoring System (CVSS) score of 5 or above will draw a round of applause. In a room full of C-suite leaders, however, this same fact without any additional context will only draw confusion.

When speaking with leaders from across the business, it’s important to remember the common goal you share: enablement. In your case, by assessing the risks your company faces, balancing them with the potential costs of a breach, and making security investments accordingly, you’re enabling every department to function and thrive on a day-to-day basis.

You need to make it clear to your audience—in terms they can relate to—how your team is directly contributing to this universal goal. Rather than presenting industry-standard metrics without further explanation, contextualize your findings by showing their net value. Explain exactly why you’ve chosen to present this metric, and describe exactly how addressing hosts with a 5-or-higher CVSS score directly enables the whole company.

Not every member of the C-suite understands information security, but everyone understands risk. Day in and day out, your fellow leaders conduct countless risk assessments when making high-level decisions—so why shouldn’t risk analysis play a key role in the conversations you have with them?

Similar to how insurance companies use actuarial tables to assess risk and make smarter decisions, equip your audience with necessary background details that lead to informed conclusions. Measure the risk liability they’re taking on by not protecting certain assets, highlighting the company-wide value of the systems and data you’re seeking to protect as well as the implications of a potential breach.

“Measurement” is a core principle of lean security—an approach every modern company ought to take when protecting its digital assets. But keep in mind that measurement requires context in order to be understood by key stakeholders across every department. The greatest security metrics in the world mean nothing to your C-suite without a clear explanation that includes why you’ve chosen to present this data, how these numbers relate to risk, and why acting on your findings will lead to enablement.

Reframe Your Approach
Adding much-needed context to your metrics provides these benefits to you and your department:

  • Strategic Investments: Once you contextualize your data and clearly show how your department’s actions are better enabling the entire company, the rest of the C-suite will see the true value of your existence. Instead of thinking that your team is a group of people that sits in a silo, they’ll understand the daily impact you have on every single department. Therefore, they will be more willing to support you when you ask for additional funding and investments in security systems and tools.

  • More Trust and Credibility: Fostering a deeper understanding of how information security contributes to the overall well-being of the company will change the way other leaders interact with you. Rather than thinking your greatest contribution to the business is deploying patches, they’ll see you as a key resource when it comes to risk assessment and deploying high-level decision making.

  • Professional Fulfillment: Information security is a profession with a notoriously high level of turnover, mainly because of the reason I felt compelled to write this article: It’s just so difficult to convey your contributions to the rest of the company and get other leaders on board with your mission. Thanks to the trust, credibility, and respect you build through your revamped communication style, your job will feel much more fulfilling, and your footing as a company leader will be cemented for years to come.  

There’s no question that information security involves highly complex technical language and metrics, but that doesn’t mean you have to use only these terms when communicating with your senior-level cohorts. Build company-wide understanding around security by adding big-picture context to your metrics, and reap the rewards of trust, support, and career happiness.

Related Content:

About the Author

Andrew Storms

VP Security Services, New Context

Andrew Storms serves as the vice president of security services at New Context. He has been leading IT, security and compliance teams for the past two decades at companies like CloudPassage, nCircle and Tripwire. Storms' advocacy on IT security issues has appeared in CNBC, Forbes and The New York Times. He is a CISSP, a member of Infragard and a graduate of the FBI Citizens' Academy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights