Skip to content ↓ | Skip to navigation ↓

Tripwire has announced the results of a survey of 131 information security professionals that revealed key differences between the way executive and non-executive IT professionals communicate with senior leadership. The online survey was conducted this year between January and March by Hanover Research.

Key survey findings include:

  • Only 38% of non-executive respondents use business-oriented language when communicating with senior executives
  • 48% of non-executive respondents believe it is somewhat or very difficult to discuss information security with senior management
  • 78% of executive respondents and 85% of non-executive respondents ranked risk management as the highest among key issues they need to communicate with executive leadership about

“Information security risk is getting a lot of attention due to high-profile incidents and increasing pressure from the SEC, but the good news is this means critical security and risk conversations are occurring at very senior levels in the organization,” said Dwayne Melancon, chief technology officer for Tripwire.

“The bad news is most IT security professionals haven’t developed the necessary skills to communicate effectively with non-technical executives.”

“IT security professionals tend to focus on granular, technical information, but senior leadership wants to focus on how security can protect business goals like revenue growth, profit, competitive agility and customer satisfaction,” Melancon continued

“This ability to communicate the value of information security in terms easily understood by the rest of the business is a critical skill for career success in IT security. Connecting security to the business is destined to become the new normal.”

For more information about the survey please visit http://www.tripwire.com/register/ciso-insight-survey/.

 

Title image courtesy of ShutterStock

Hacking Point of Sale
  • shahjahan khan

    Nice information! Most of organization still have ostrich's approach towards information security. Means we don't have attack so we are safe.

  • Don O'Neill

    The article has it backwards. The real problem is that executives lack sufficient STEM expertise to operate in the modern world. This extends to communicating with experts on the Cyber Security challenges that threaten their operations.

    Just as a programmer needs to explicitly check boundary conditions in specifying inputs to a procedure, executives need to establish pre-conditions for using cloud computing or the Internet. As a miminum, consumers need to assert the degree to which they can afford to lose information and data they plan to put in the cloud and on the Internet, the degree to which they can protect these assets, and the risk and consequences for stepping over the red line of rational conditions.

    Executives and experts should collaborate on this problem jointly and learn how to communicate for the benefit of everyone.

  • Mark E.S. Bernard

    Blaming the Executives that have their own areas of expertise and specialization is not the correct approach. It’s a maturity issue normally, a soft skill that security professionals needs to acquire and can't really be taught. The difficulty that most security professionals have is the ability to quantify issues in terms that their audience can embrace them. The other issues is that Executives don't have time to coach security professionals into saying what they need to hear, normally you have one chance only and if you fail you will be relegated to someone who know how to communicate with the Executive team. Executives want to hear the answers to three questions #1. What problems are you going to solve? #2. What is the impact to the organization #3. How much will it cost? You need the answers to be captured on 3 – 7 slides and you need to carry you backup material just in case they decide to probe your topic. Be bright and be gone!

  • Don O'Neill

    One of the difficulties associated with Cyber Security is that more than adding business value, Cyber Security challenges are more apt to erase business value through loss of reputation and trust, risk of liability, negative effects on financial markets, and a signal of weakness to competitors and adversaries.

    These difficulties may not drive the boat, but they have the potential to sink the boat and do so with lightening speed.