In last week’s post, I talked about the importance of getting help from a non-technical “coach” in another part of the business. This week, I want to share something I’ve noticed as I’ve spoken with individuals who have been effective in bridging the communication gap between infosec and the business:
Understand how your company makes money
During my research over the past few quarters, I’ve noticed that some of the people I’ve spoken with stand out because they really know how their business works. In essence, they know how their companies make money, increase profitability, retain customers, etc. (whatever is most important to their companies).
Some of the steps they take are easily mimicked:
- Read your company’s annual reports. If your company is public, spend time reading the annual report to learn about the company’s business strategy, business model, goals, risks, and more. You will also pick up terms that can help you talk about your work using words with which the rest of the business is already familiar. This means improving your ability to relate your work in information security to its impact on specific business units, lines of business, regions, products / offerings, and risk areas so that what you do is immediately recognized as valuable (or at least more likely to be seen that way).
- Does your company have internal blogs, newsletters, or other resources which discuss business priorities, major projects, major issues and concerns, or major initiatives? If so, mine these resources to help you position your team’s activities in relation to what’s important – remember, value is relative so make sure people see the connection to things that are important to the business.
- Research and follow your company’s competitors. Watch for security issues (such as breaches, information leaks, etc.) as they may be early indicators of something that will soon threaten you. Also, be ready to explain to non-technical executives how you are mitigating the risks of problems your competitors have experienced.
- Understand things like the following, and the role of IT in each of them:
- Revenue growth and/or revenue recognition (what are your company’s revenue growth targets, and how does IT play a part in revenue recognition?)
- Customer retention / customer service
- Brand reputation and trust
- Service delivery targets and availability commitments
- Contractual, legal, and regulatory commitments to which your company is accountable