To effectively communicate with the business we must learn to gain the trust of business leaders. Too often we are seen as the people who stop or block initiatives because of security concerns, or the business only see us when there is a security problem. Both scenarios result in security being viewed in a negative light.
To address this we must be more proactive and look at how security can help the business reach its goals. Regularly meeting with senior management within other departments to see what their challenges are could enable you to identify ways to meet those challenges while also gaining an ally at the senior management table. For example, a discussion with the head of sales may highlight the challenges his/her team have in accessing key corporate client management systems. If as a result of this information you can proactively identify a secure way to enable the sales team to do this, then this would positively impact the company’s bottom line and also how the security function is viewed. So developing better relationships with other business managers is a key step in establishing good communications with the business.
The next issue to address is how we communicate with the business. Many of us in security roles have come from technical backgrounds and while this is good as it enables us to better understand the threats we face, it can impact negatively on how we communicate with others. Too often we rely on technical jargon, the dreaded TLAs (Three Letter Acronyms), or the latest buzzwords to spice up how issues are presented to senior management. However, by using too much technical jargon we can “blind people with science” to the extent that they do not understand what the actual message is that we are trying to communicate. So instead of presenting the latest threats in technical terms and jargon, we should learn to express issues in plain English so they can be better understood.
Telling senior management “there is a SQL injection vulnerability that exposes our primary tables in our customer databases” does not have the same impact as saying “a security defect in our website could allow criminals to access all our customer records leading to damage to our reputation and potential legal and regulatory issues”.
We also need to realize that everything cannot be a top priority. Businesses are not run and are not profitable by reacting to every emergency and trying to address every issue. Businesses look at issues, determine their potential impact on the bottom line (be that positive or negative), what needs to be done to manage the issue, and whether or not it is actually worth dealing with the issue. If as CSOs we run to senior management claiming every threat and issue is a top priority we will quickly be viewed as the boy who cried wolf all the time. To better engage the business in dealing with security issues we need to present them terms of risk that the business can better understand.