One of the biggest challenges information security leaders have is being able to to effectively communicate the value of their team’s efforts across the organization – especially upstream to the C-Suite, Board of Directors and other non-technical executives.
As role of the CISO expands, it has evolved beyond simply being a security manager to that of a business leader, so CISOs need the ability to accurately report on their organization’s state of security and communicate the benefits of a proactive security effort in a language the rest of the organization can understand.
At Infosecurity Europe 2014 panelists Dwayne Melancon (@ThatDwayne), Stephen Bonner (@StephenBonner), Thom Langford (@ThomLangford) will hold a session that addresses this very issue. Titled One Big Threat to Cyber Security: IT Geeks Can’t Talk to Management, the panel will commence on Tuesday, 29 April from 14.00-14.25.
This session will draw from the experience of seasoned CISOs with proven track records in enabling core business objectives by influencing key stakeholders in the organization. These risk and information security leaders will share their advice on how to effectively create and demonstrate security’s value to the entire business while ensuring that security efforts are more visible to the rest of the organization.
“The security function is often seen as doing security for its own sake, rather than for the benefit of the business, and so misses the point of security entirely which is really about managing risk to acceptable levels, something organizations are able to balance every day,” said panelist Thom Langford, Director of Security Risk Management in Sapient’s Global Security Office.
“The security function all too often acts in a condescending manner thinking it knows what is best for the business when in fact it is just one of the many supporting functions that allow the organization to make valid business decisions,” Langford explained.
This session will also demonstrate why CISOs and their teams must direct their efforts towards prioritizing their activities to the most relevant risks – those that are aligned with the overall enterprise risks of the organization – which is at the onset, may seem to be a Sisyphean endeavor.
“I have struggled myself in building a security organization that is respected and relied upon by the business. Getting it wrong wastes time, money and puts organizations at risk,” Langford said.
Tripwire Chief Technology Officer and fellow panelist and Dwayne Melancon agrees says that tactically, good communication skills often mean the difference between getting projects funded and not. Recently, however, this is become more of a strategic topic.
“Business executives are far more interested in what is happening with information security than ever, thanks to a plethora of high-profile, very visible breaches and security incidents,” Melancon said. “It is crucial that we all share information about how to more effectively communicate to our business audience, because that is what is right for the business.
This session will also discuss the findings on the latest Ponemon research about Risk-Based Security Management, which is rapidly gaining acceptance as an essential security practice.
“Business operations and risk managers are looking for directional information to guide their decisions. On the other hand, IT operations and IT security departments tend to view security risk management as a math problem that has a very precise answer,” said Dwayne Melancon, chief technology officer for Tripwire.
“People with these viewpoints are talking about the same thing, but they are using very different language, which can make it difficult to come to a mutually agreed point of view. Often, this feels like ‘Mars and Venus’ problem, and people in infosec are not well-prepared to meet the challenge.”
The panel will discuss how to measure security effectiveness and track meaningful metrics, perform benchmark analysis and comparison reporting against your industry or peers, analyze whether you’re properly invested and resourced given your risk appetite, how to justify IT investments and communicate that IT security is a key factor in the successful operating of an organization.
The session will provide tips that will help CISOs better align with their organization’s business objectives and goals, and what they can do to support them rather than hinder them.
“By not aligning the security functions becomes sidelined and eventually ignored, with mere lip service being paid to it, so at best it will be a pure compliance function rather than a core capability and enabler of the business. Don’t become the conscience of the business,” Langford said.
“With so many security organizations not aligned like this, and aligned through IT or the COO or even CFO this is a capability that can only get better if it is understood and built upon.”
Melancon says he hopes the audience will come away with a few actionable, practical techniques that will enable them to better connect with their business counterparts and feel more confident in communicating without going into the weeds, because too much jargon or technical minutia is where security practitioners run the risk of losing the attention of our audience.
“I believe this capability will be coming expected part of business acumen in the future,” Melancon said. “People who invest now to learn the skills and techniques necessary to communicate to the rest of the business will be ahead of the game.”
Editors Note: Click here for more information on the Information Security 2014 and how you can get a complimentary Expo Pass.
- The Meaning of Security Hype
- Selling Security: Risk-Based vs the Mutual Business Benefits Approach
- Attacking the ROI of Advanced Persistent Threats
- On Connecting Security to the Business
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock