It is difficult to talk about security to those who do not have a working understanding about the subject. The difficulty leads to frustration, frustration leads to misunderstanding, which leads to wrong decisions and disasters.
The right strategies
No matter how awkward, you have to talk about security frankly to your management at some point. May be they will be confused at first, but it is your job to turn confusion into understanding, and ignorance into knowledge. The way to do that is utilizing the power of storytelling,because a jargon laced communication is a surefire way to completely alienate an audience.
As Feisal Nanji, Chief Information Security Officer at Adventist Health,writes in his blog, “Don’t say,“Application-layer vulnerabilities in our Internet-facing systems”, say“Chinese hackers breaking into our portal”.”
Nanji, with over 20 years of experience in IT strategy and implementation, started his own consultancy called Techumen, after he had left Ernst & Young (EY). Nanji rightly understands what is at the heart of successful public communication.
As is well understood in other fields now, most notably in activism and progressive journalism – for want of a better expression – concepts are best explained through the use of precedence or examples. Nothing convey knowledge as successfully as presenting it in appropriate context, as is demonstrated in Nanji’s example above. For instance, if you pardon the obvious facetiousness in pointing it out – in this paragraph an example is being used to explain the importance of using examples.
Nanji recommends the book Slide:ology by Nancy Duarte for better understanding the importance of visual and how to use that in your advantage. “The cliché about pictures being worth 1000 words is true. One well-crafted image can communicate more, and more quickly, than a wall of text,” writes Nanji.
Leaving out irrelevant details is as important as accuracy, because wrong emphasis will sway focus from what really important and the essence of the message will be lost. “If six factors are in play, and one of them will drive 80% of the outcome, don’t mention the other five,” Feisal Nanji advices.
Nanji also suggests to build up a relationship with the tech-savvy person among the executive rank/the Board. Through him you can edit your presentation to be most precise,comprehensive and effective.
Warning about grave danger of security risks maybe a necessity, but the fine line between advocating required caution and scaremongering must be towed. Overstating the danger will eventually hurt your credit ability.Being honest about the uncertainty enables you to convey an accurate sense of a best, worst, and“in-between” scenario so that they can appreciate the range of outcomes.““We have old pipes over the data center. Best case, they burst over the store room, and no one will notice.Worst-case, they burst over the main demarc, and we lose Internet connectivity”” example of explanation from Nanji’s article reads.
It is vitally important to understand precisely which is a compliance risk and which one is a security risk. You have to point out the difference between a security risk, which can be approached in many different ways,and a compliance risk, which is usually a box that must be ticked.
Nanji identifies a serious problem that all security professionals face: “A common management complaint is that IT spending is very high, but the benefit is unclear.” The way to combat that is to offer a range of options,rather than the one perfect (and very expensive) solution. This gives the management a better sense of the costs and benefits of each of them.
The right knowledge
You have to know that every executive will want to know from different perspectives. Some will be less engaged than others, and some will be very involved. The higher the audience level, obviously, the fewer details you should include, Nanji suggests in another blog post.
You have to study the market very carefully. One of the first things that your higher management will want to know is what other companies are doing about matter “X”. You have to have sufficient understanding and awareness to suggest which one is best and worth following, which one should be avoided. “Whether it comes to a particular technology such as email encryption, or larger issues such as staffing levels and organizational structure, this is always welcome information to a leader,”Nanji writes.
You have to inform your management about the impact or damage of a foreseeable of security breach. The management must appreciate the risk criteria or what does a high risk mean to their organization.
Extending that idea, it is quite a necessary step to walking the management through the possible consequences of a breach, what Nanji calls “premortem.” The walk through will be “a narrative describing the few, most likely events that will result in a breach. It can be a dodgy vendor,a vulnerable workflow, or a key yet missing piece of technology,” Nanji’s post reads. He recommends including the steps you are taking to prevent the breach you walked them through, or what steps you would like to take to prevent this. Most importantly,acknowledging where your risks areis crucial.
While it’s not wise to overwhelm your audience with numbers and figures, it is also not wise to underestimate the power of numbers.Providing the figures for how many systems, applications, and risks you are managing, how many attempted viruses, phishing attempts, or lost smartphones you deal with in a month can really help communicate the size of the security challenge and its trend line over time.
Threats that are rare but will be catastrophic if they occur is also worth mentioning. These kinds of events include floods in the data center, UPS battery fires, and as loppy support vendor taking down a system. The reason they are worth mentioning is not because they are not accepted, they are. But it is to show them that you have thought about them.■