Threats to information security are real and constant, and there are so many avenues that affect an organization’s risk posture—internal, external, loss, theft, cloud computing, social media and mobile devices.
Security professionals may think they will never win the battle. Just ask any of the 80 percent of organizations that have experienced a data breach over a 12 month period.
2012 Data Breach Investigations Report (.pdf here) states:
- 97% of breaches were avoidable through simple or intermediate controls (+1%)
- 96% of attacks were not highly difficult (+4%)
- 94% of all data compromised involved servers (+18%)
Despite the continuous threat to data and its potential impact on business, there remains a lack of connection between information security officers and those at the executive levels. As reported in the 2012 CyLab Report from Carnegie Mellon University (.pdf here) nearly 75 percent of all organizations don’t report on security risks to the C-suite level.
This is particularly true of critical infrastructure industries, such as energy and utility companies, where threat is of the highest national urgency.
Overcoming Security Stereotypes
This disconnect may be a result of the way in which businesses have traditionally viewed IT and security personnel—as “geeks in lock-down mode” and security incidents as “nuts and bolts” events. This is troublesome since the collateral damage from security vulnerabilities and threats is at an all time high.
A single, major data breach can mean a loss of revenue and reputation; it can disrupt business; and, it can result in millions of dollars in fines and expensive remediation. It is for these reasons that security risk management is finally catching the attention of the C-suite. Yet only one in eight organizations feel information security can influence business decisions (.pdf here).
To Influence, Learn to Communicate
According to the Security for Business Innovation Council (.pdf here), 2013 will continue to test information security’s mettle, despite the fact that info sec teams have long lobbied to be business enablers, not inhibitors. But again, there is a disconnect, one that thwarts this important goal—a communication gap.
To paraphrase a popular self help book from the 1990s, security speaks in Mars, and business speaks in Venus. With risk nipping at the heels of business 24/7, it’s time that both parties speak the same language.
However, the responsibility should fall to security’s shoulders on this issue. In order for security issues to converge with overall strategies, information security executives must learn to communicate in business language that can be understood across the organization.
Five Tips for Connecting Security to the Business
- Understand that security is not a technical problem, but rather a dimension of the quality of products and services a business delivers
- Align security priorities to the different categories and objectives of the business
- Articulate to the CFO the potential financial loss of a data
- Communicate to the sales organization that a data breach makes it harder to gain and retain customers
- Learn to talk the C-Suite language up and down the organizational chain
For more insights from infosec though leaders on these issues, watch the video Enter the CISO: Torchbearer of Security and Risk Management.