Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/2/2012
12:00 AM
50%
50%

3 Ways To Get Executives To Listen About Risk

The C-suite can't make informed decisions about IT security risks that they don't truly understand -- here's how to better communicate what they need to hear

Communication skills are some of the most important within a IT risk manager's tool kit. That's because if threats can't be conveyed to a business' upper-level management, it's going to be awfully hard to convince said managers to loosen the purse strings. But one shouldn't rely on choice turns of phrase or smooth talking alone to successfully communicate risks. There's also a lot of underlying homework and a fundamental attitudinal shift that needs to occur for the message to resonate with the C-suite. Here are three important tips in achieving that goal.

[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]

1. Insert ROI Into The Equation
Quantifying return on investment from security spend remains one of the long-lamented challenges in the IT security industry. Some continue to wonder how you can put a valuation on something that never happens. But that valuation does exist, says Joe Fisher, president of Affinity IT Security.

"The value of avoiding negative consequences is both real and quantifiable," Fisher says. "The ROI calculation must recognize and account for the value of avoiding the full scope of economic damages that can result from a breach."

If you need a little help, start by grabbing a newspaper and looking for evidence of public details about consequences other companies have had to pay for past breaches.

"To help justify purchases, security departments can cite examples of data breaches and what those consequences were: regulatory penalties, decline of company reputation, job loss -- including at C-level, and identity theft leading to monetary loss," says Michelle Head, technical consultant with the security practice at Force 3.

But don't just come to the boardroom with newspaper clippings. Convert some of those public numbers into what it would translate to economically for your company should a similar asset be breached. And do some digging for other costs that may not be included in the news.

Fisher recommends that an ROI estimate should account for at least six variables: the cost associated with forensic analysis to determine the scope of the breach, the cost to remediate and re-establish a secure environment, the cost to prevent future repeats of the same attack, the legal costs of a breach, the loss of revenue due to the breach, and the potential damage to the stock price following a breach.

"The costs of each of these can be estimated and should be aggregated to form a comprehensive assessment of potential damage," Fisher says. "This can then be discounted by the likelihood of the breach occurring to arrive at a risk adjusted damage estimate."

2. Come Ready With Threats Prioritized Against Business Objectives
Simply stepping into the CEO's office and stating that there are 10,000 vulnerabilities in the company's application portfolio or that there were 22 incidents last year stemming from uneducated users doesn't necessarily get you any closer to communicating the risks.

Risk conversations that consist of a laundry list of vulnerabilities in IT infrastructure or network threats may raise concern that won't necessarily educate executives well enough for them to make decisions about which risks to accept or mitigate.

"The point is managing risk to business performance objectives," says Brian Barnier of ValueBridge Advisors. "Think about how many Olympic athletes wished they better avoided injuries or took a greater risk to score a point."

CEOs respond well to numbers -- but only when they're framed around what those numbers mean in relation to business objectives and the bottom line. This framing starts first by making sure that the words you're using are from a business lexicon, not techno dictionary.

"Anything really technical we tend to flub because we walk into the CEO's office and start spouting acronyms," says Mike Murray, managing partner for consulting firm MAD Security. "And we expect that person to take that and translate it to business speak in their head without realizing that it's our job to translate it for them in a way they understand."

Similarly, the numbers need to be converted into dollars-and-cents impact. This means performing a quantitative analysis of how much past threats cost the business, how likely they are to occur again, how much it'll cost to prevent each of them in the future, and given an expected budget estimate, where the cash infusions should go first. It's also key to include potential impact on revenue should the risk be accepted and the worst occurs.

"There are simply too many issues to be fixed, and no company can address them all. What we often do not see is a prioritized list of which holes to fix based on a quantitative analysis," says Naeem Zafar, president and CEO of Bitzer Mobile. "If an IT organization can only fix three issues, they are likely to be the ones that cause the most harm or provide the best return for the organization. CIOs should play a strategic role by addressing these issues based on quantitative analysis. "

3. Let Executives Accept Some Risks
As the proverbial goalkeepers in front of the net, it may be difficult for security executives to accept situations that make it easier for the ball to cross the goal line. The instinct is to keep the sheet clean and aim for never letting a security incident sully the record.

But the fact of the matter is that the game isn't really won based on how many times the bad guys score a hit off of your infrastructure. It's based on how much money the company makes and the financial impact that threats will make against that profit. Keeping that in mind, it will make sense for line-of-business executives to accept some risks if the medicine is worse than the cure.

"The truth is security is all about levels -- the level of pain you want to make a would-be hacker go through vs. the level of disruption you can have on your workforce," says Ken Tola, CEO of IP Ghoster.

IT security professionals who can offer a quantitative risk assessment and are prepared to let their executives accept risks based on that assessment are going to gain a lot more respect and, consequently, more budget to deal with high-priority risks than the ones who insist no risk remain unremediated.

"The ultimate goal is to determine your organization's appetite for risk and to facilitate the cultural move from a zero-risk mentality to a risk-resilient mentality," says Bryan Fite, BT Assure portfolio manager for U.S. and Canada at BT Global Services.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Ninja
11/26/2012 | 8:27:15 PM
re: 3 Ways To Get Executives To Listen About Risk
"Fisher recommends that an ROI estimate should account for at least six variables: the cost associated with forensic analysis to determine the scope of the breach, the cost to remediate and re-establish a secure environment, the cost to prevent future repeats of the same attack, the legal costs of a breach, the loss of revenue due to the breach, and the potential damage to the stock price following a breach."

Are'nt these two things the same?
the cost to remediate and re-establish a secure environment, the cost to prevent future repeats of the same attack
macker490
50%
50%
macker490,
User Rank: Ninja
11/4/2012 | 2:19:06 PM
re: 3 Ways To Get Executives To Listen About Risk
only 1 thing gets their attention: $
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.