Features

Ways to communicate security benefits to management

The
importance of information security and technology risk management
continues to grow, but many risk and security professionals including
CIOs and CISOs continue to struggle with non-IT executive
communication.

The
importance of information security and technology risk management
continues to grow, but many risk and security professionals including
CIOs and CISOs continue to struggle with non-IT executive
communication.

Gartner
vice president and distinguished analyst Paul Proctor said one of the
greatest challenges security teams face is not how to reduce risks
but how to convey the benefits of risk management to leadership.

The
pace of change in the age of digital business and the Internet of
Things means risk and security professionals are forced into a state
of continuous conflict between the business wanting to drive
innovation, and the security team needing to rein in risk.”

Executive
decision makers want to know the business is adequately protected
against risk but need to weigh the risks of yesterday and today
against the opportunities of tomorrow.

Having
reviewed more than 300 board presentations on risk and security,
Gartner found that in the vast majority of cases, the reports
contained too much information and fear, were overly complex, lacked
alignment with wider business strategies, and had no connection to
board-relevant decision making.

The
challenge is how to get the two sides to work in harmony. To do that,
security teams need to learn to communicate the benefits of security
changes as much as they do the risks,” says Proctor.

In
his recent report on linking risk and security to corporate
performance, Proctor had these eight practical tips for
communicating benefits to executive decision makers:

 

1.    Formalise
risk and security programs
A
formalised program is one that is repeatable and measurable. It
contains four key phases: a govern, plan, build and run phase.

2.    Measure
program maturity
Using
a maturity scale to measure your program identifies gaps and
opportunities to improve. Maturity is also a good abstraction for
executive decision makers who do not always understand technology.

3.    Use
risk-based approaches
Risk
management is an explicit recognition that there is no such thing as
perfect protection. Organisations must make conscious decisions about
what they’ll do, as well as what they won’t do to mitigate risk.
Stakeholders in non-IT parts of the business must make these
decisions, not leave it up to IT professionals alone. But more
importantly, risk managers must take a proactive approach to risk
assessment and management. They need to manage risk, not be managed
by it.

4.    Use
lead indicators of risk conditions
Risk
managers need to define new leading indicators of business
performance that includes both key performance indicators (KPIs) and
key risk indicators (KRIs). They should not focus exclusively on
IT-centric KPIs. Doing so perpetuates the notion that IT risks relate
only to IT.

5.    Map
KRIs to KPIs
Most
organisations have a plethora of operation risk and security metrics.
While these are extremely valuable for internal operations, they have
little value to business decision makers. Good KRIs are simple and
measurable and have a direct impact on multiple KPIs.”

6.    Link
risk initiatives to corporate goals
Using
fear, uncertainty and doubt to get executive support doesn’t work.
Executives don’t want to hear how bad everything will be if they
don’t invest in risk management and security. It’s equally
useless to cite returns on investment because risk does not return a
tangible dollar for dollar value. The best way to win executive
support is to demonstrate business value.

7.    Remove
operational metrics from executive communications
Don’t
use operational metrics to communicate at a business executive level.
Executives lack the background and training to understand the meaning
in a business context.

8.    Clearly
communicate what works and what doesn’t
In
a risk-based world, a business-oriented audience wants to know: 
What
are our risks? What is our posture? What do we do about
it?
 Communicate that well and you’ve won half the battle.

 

 

Show More

Related Articles

9 thoughts on “Ways to communicate security benefits to management”

  1. Also the content is
    Also the content is potentially misleading when it says you can add a send-only or a send-and-receive account, and we’ll configure the SMTP server settings
    as part of that”.

    my web page – hotmail 365 brighton

  2. Of course, in Sabah, where
    Of course, in Sabah, where tourism and diving are the two key elements that bring the region to the
    attention of the world, it is very important to provide the best possible conditions in these areas,
    so that everyone may be satisfied. With that, as a scuba
    diving instructor you will be able to bring others up to scuba
    diving. Like dive prevents you will waterless perhaps even heated.

    My site :: cable news

  3. First of all I would like to
    First of all I would like to say wonderful blog! I had a quick question which I’d like to ask if you don’t mind.

    I was curious to know how you center yourself and clear your thoughts before writing.
    I have had a hard time clearing my thoughts
    in getting my ideas out. I do take pleasure in writing but it just seems like the first 10 to 15 minutes are usually lost simply just trying to figure out how to begin. Any recommendations or tips?
    Cheers!

    My blog post … legitimate home based business opportunity

  4. My coder is trying to
    My coder is trying to persuade me to move to .net from PHP.

    I have always disliked the idea because of the costs.

    But he’s tryiong none the less. I’ve been using Movable-type on various websites for about a year and am
    anxious about switching to another platform.
    I have heard very good things about blogengine.net.
    Is there a way I can transfer all my wordpress content into it?
    Any kind of help would be greatly appreciated!

    Here is my web site – diy home improvement (homeimprovementdaily.com)

  5. This means you can watch your
    This means you can watch your favorite TV shows whenever you like
    and you won’t miss an episode. All you will require can be a chroma key screen or backdrop and
    hang it in a place in your home, which will have enough space for you to step up
    a simple studio. You can upload lower size video to
    You – Tube, put full-screen video to your Mobile Phone, i – Pod, i
    – Phone, LG, Nokia etc.

    Feel free to surf to my web blog: cubase 7 crack

  6. The official trailers of the
    The official trailers of the interlude are quite tempting because they reveal a lot
    about upcoming events. Wella hair care products take the value
    of the most modern science and combine it with your hairdresser’s proficiency.
    In the second installment of the cooking dash series, cooking
    dash diner town studios we have Flo and Grandma helping the restaurants that are
    located on the studio lot.

    Have a look at my blog post … movie star planet vip hack

  7. Without it, he’ll never have
    Without it, he’ll never have some time on his
    own to realize that not having you around isn’t what he pictured – and that he misses you.
    Paid search is an extremely effective way for
    companies to get their names at the top of Google,
    Yahoo, and Bing search results. Send news or tips to ohionewsbureau@gmail.

    Here is my web blog – tap titans artifact guides (Chara)

  8. Howdy! I know this is kinda
    Howdy! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in trading links or maybe guest writing a blog
    article or vice-versa? My website addresses a lot
    of the same topics as yours and I feel we could greatly benefit from each
    other. If you might be interested feel free to
    send me an e-mail. I look forward to hearing from you!
    Awesome blog by the way!

    Here is my webpage slut roulette

Close