Earlier this year, I began writing about my project relating to “connecting security to the business.” Essentially, I want to find repeatable methods to help information security people communicate the business value of their activities to non-technical audiences. Starting today, and continuing for the next few weeks, I’ll be sharing some of the things I’m learning on this journey.
Part 1: Engage the Business
Since we’re trying to get through to the rest of the business, what better way to begin than to find someone from the business who can collaborate with you? Through conversations with a number of enterprises who’ve had success, this is emerging as a best-known method.
From what I’ve seen, the tricky part is identifying someone who a) “gets” what you’re trying to do, b) has the cycles to help you develop reporting, and c) understands the business well enough to be an effective source of input for you. For best results, try to identify someone from business unit management, or perhaps someone who is involved in financial reporting. Look for someone senior, or someone who acts on behalf of someone senior when it comes to reporting (in other words, someone who takes mountains of numbers and creates succinct operational reports, board packages, and things like that can be a great ally).
When you approach this person, explain that you are looking for guidance on how to better represent the tactical activities of information security, in a way that relates to the business in terms that non-technical stakeholders can understand. Ask for help on things like:
- Using them as a sounding board so you can try out your “pitch,” show them draft reports, etc;
- Provide input so you can tune and improve the information you’re presenting, the terms your using, etc. for better business resonance;
- Provide insight into the things the rest of the business cares about (high-level initiatives, indicators and projects from other teams’ dashboards, etc.);
- Provide examples of effective reports from other organizations so you can learn from them;
- Help you build the “story” you want to tell, and help you make it relevant.
The tricky part, from the conversations I have been involved in, is finding someone who recognizes how information security can add value to the business. I have heard of successes in finding allies in finance, since they understand the value of IT controls and accountability, as well as business unit or application owners who understand that issues in information security can negatively impact their application availability, data security, etc.
If you’ve had success in finding champions to help you connect your team’s value back to the business, please share.
Next week, I’ll share another aspect of what I’m learning from this project.