A few days ago, we posted the results of a recent survey by Hanover Research, which found that security professionals have difficulty communicating with executives. This is not a surprise to me, as you’ll note from my past posts on “connecting security to the business,” here on this blog.
As a recap, some of the key findings from the study were as follows:
- Only 38% of non-executive respondents use business-oriented language when communicating with senior executives
- 48% of non-executive respondents believe it is somewhat or very difficult to discuss information security with senior management
- 78% of executive respondents and 85% of non-executive respondents ranked risk management as the highest among key issues they need to communicate with executive leadership about
While the results of the study show data from the US and Canada, I know this is not just a North American problem – I think it’s global.
I have spent about half my time in the last month in Europe, and the topics of discussion are identical to those I find in the US. Many of the discussions I’ve been in lately remind me of a quote from Alan Greenspan:
“I worry incessantly that I might be too clear…”
Many of the problems with our communication are simply habitual, but another huge factor is our tendency to remain in our comfort zones.
After all, many of the security people I work with (including the technically-savvy security executives) tend to come up through the ranks, and spend a lot of time with other people who “geek out” on the nitty-gritty details of security.
One of the other aspects of security geeks is that we actively challenge each others’ assumptions, which we overcome by throwing out more data.
Unfortunately, these habits don’t help us when we deal with non-technical executives. They want simple and confident, not voluminous and defensive. Plus, they want to understand a lot more of the “so what?” than the “what happened?” when they hear from us.
After all, why should they learn our craft, when that is why they pay us?
The challenge is in presenting concisely, but leaving things simple enough that your words leave the impression you want to create, not that your audience become masters of information security.
Current events are forcing us to develop new skills in this area, as the media is driving more non-technical executives to ask questions about information security. How’s it working for you? Any good breakthroughs to share? I’d love to hear from you.
You can find the full study at this link.