Skip to content ↓ | Skip to navigation ↓

In last week’s post, I talked about the importance of getting help from a non-technical “coach” in another part of the business.  This week, I want to share something I’ve noticed as I’ve spoken with individuals who have been effective in bridging the communication gap between infosec and the business:

Understand how your company makes money

During my research over the past few quarters, I’ve noticed that some of the people I’ve spoken with stand out because they really know how their business works.  In essence, they know how their companies make money, increase profitability, retain customers, etc. (whatever is most important to their companies).

Some of the steps they take are easily mimicked:

  • Read your company’s annual reports.  If your company is public, spend time reading the annual report to learn about the company’s business strategy, business model, goals, risks, and more.  You will also pick up terms that can help you talk about your work using words with which the rest of the business is already familiar.  This means improving your ability to relate your work in information security to its impact on specific business units, lines of business, regions, products / offerings, and risk areas so that what you do is immediately recognized as valuable (or at least more likely to be seen that way).
  • Does your company have internal blogs, newsletters, or other resources which discuss business priorities, major projects, major issues and concerns, or major initiatives?  If so, mine these resources to help you position your team’s activities in relation to what’s important – remember, value is relative so make sure people see the connection to things that are important to the business.
  • Research and follow your company’s competitors.  Watch for security issues (such as breaches, information leaks, etc.) as they may be early indicators of something that will soon threaten you.  Also, be ready to explain to non-technical executives how you are mitigating the risks of problems your competitors have experienced.
  • Understand things like the following, and the role of IT in each of them:
    • Revenue growth and/or revenue recognition (what are your company’s revenue growth targets, and how does IT play a part in revenue recognition?)
    • Customer retention / customer service
    • Brand reputation and trust
    • Service delivery targets and availability commitments
    • Contractual, legal, and regulatory commitments to which your company is accountable
  • Etc.
The more you know about the business and the more you relate your activities to business priorities, the more credible you’ll be as you talk about what you do.  Also, you’ll find that you can add value beyond your own team which may get you invited to more meetings or enable you to get more visibility & “props” in your developing career.
What about you – do you have any other tips to help others learn more about their businesses?  Please share them with us.
Next week, we’ll talk about some key stakeholders you can align yourself with to improve your effectiveness.

 

Hacking Point of Sale
  • Charles Fenoughty

    Splendid article, and bang on task. Security can only ever be as strong as the weakest link in the chain: people!

    Getting the conversation between IS and internal comms is, in my opinion, the best place to start.

    Charles Fenoughty
    Sequel Group

    • I agree, as long as the people feel like management is bought in.  Culture works best with strong tone at the top! Thanks for stopping by and commenting.

  • Helen Wilson

    I completely agree – internal communications is at the heart of a business; they understand it and even more importantly understand their employees so know how to communicate to them. Security is considered a dry subject matter by many but internal communications will know how to position it so that it engages your audience plus they will be able to relate it to other activities going on in the business.

    • Absolutely – I see engagement as key – not just informing – thanks for highlighting that.