This week, I am at an event with a large group of US Federal agency security executives (CISO’s, CSO’s, CIO’s, etc) and we’ve been having some great discussions about how to “connect security to the mission.”

Today, I had the honor of chairing several boardroom discussions with about 40 of these folks to talk about the challenges and opportunities of communicating the value of security to other parts of the organization.

“Doctor, my business doesn’t understand me…”

One specific challenge has consistently emerged as a blocker:  finding “translators” in their organizations who possess both technical acumen and the capacity to communicate to the business in a way that resonates.  I believe this is becoming an essential skill for successful information security organizations, and one that will only grow in importance.

In our boardroom discussions, we spent some time talking about where and how to add these skills to our teams.  Here is a short list of ideas from the groups:

    1. Incorporate “security to business translation” into the skills you look for when hiring key roles.  We often look for specific competencies when hiring people – why not look for this one?
    2. Teach an existing staffer.  Budgets are tight – maybe you don’t have the luxury of hiring someone new.  If that is the case, coach someone to develop this skill.
      • There was some consensus in some of the group that it is easier to take someone with a business background and train them on the technology than it was to take a pure technologist and train them to ‘speak business’ — what do you think?
    3. Find someone in a compatible role and repurpose them. We discussed where to find people who were well suited to take on this translation role, and found that there were a couple of places you can find them:
      • Internal Audit / IS Audit:   People in this role are already well on their way – they have to deal with both technical and business people in the organization, and they understand risks and controls.
    4. Bring in Marketing.  What? Marketing? It turns out that one of the agencies has found great success in leaning on Marketing to create Executive dashboards.  They’ve worked with the reporting team to interview the executives who’ll consume the reports and used that information to develop crisp, clear dashboards that the Execs actually look forward to receiving.  This was an unexpected surprise, for sure.
    5. “Be lucky.”  This isn’t a repeatable practice, but a number of organizations just happened upon people who had these skills, and were able to leverage these skills to break through the language barrier.  I’d rather think of this one as “Be observant and leverage the innate abilities of your team.”

How does this compare to your situation?  Do you feel this is a skills gap that is impacting your  — or your organization’s — success?  And if you’ve already solved this problem, how did you do it?

Categories Risk-Based Security for Executives, , IT Security and Data Protection, , , Risk-Based Security for Executives, ,

Tags


Leave a Reply

Dwayne Melancon

Dwayne Melancon has contributed 139 posts to The State of Security.

View all posts by Dwayne Melancon >