Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/1/2016
10:30 AM
Andrew Storms
Andrew Storms
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How To Talk About Security With Every C-Suite Member

Reframe your approach with context in order to get your message across.

Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful.

You and your department may believe that you’re conveying clear, accurate, and valid arguments for why the company needs to devote more of the budget toward information security. But your audience only sees metrics that are too technical for them to understand and strange graphs that display complicated trends.

In other words, you’re failing to contextualize your data into terms that resonate with leaders who work outside of IT.

Context Is Key
In a room full of IT professionals, claiming that you’ve successfully addressed all hosts with a Common Vulnerability Scoring System (CVSS) score of 5 or above will draw a round of applause. In a room full of C-suite leaders, however, this same fact without any additional context will only draw confusion.

When speaking with leaders from across the business, it’s important to remember the common goal you share: enablement. In your case, by assessing the risks your company faces, balancing them with the potential costs of a breach, and making security investments accordingly, you’re enabling every department to function and thrive on a day-to-day basis.

You need to make it clear to your audience—in terms they can relate to—how your team is directly contributing to this universal goal. Rather than presenting industry-standard metrics without further explanation, contextualize your findings by showing their net value. Explain exactly why you’ve chosen to present this metric, and describe exactly how addressing hosts with a 5-or-higher CVSS score directly enables the whole company.

Not every member of the C-suite understands information security, but everyone understands risk. Day in and day out, your fellow leaders conduct countless risk assessments when making high-level decisions—so why shouldn’t risk analysis play a key role in the conversations you have with them?

Similar to how insurance companies use actuarial tables to assess risk and make smarter decisions, equip your audience with necessary background details that lead to informed conclusions. Measure the risk liability they’re taking on by not protecting certain assets, highlighting the company-wide value of the systems and data you’re seeking to protect as well as the implications of a potential breach.

“Measurement” is a core principle of lean security—an approach every modern company ought to take when protecting its digital assets. But keep in mind that measurement requires context in order to be understood by key stakeholders across every department. The greatest security metrics in the world mean nothing to your C-suite without a clear explanation that includes why you’ve chosen to present this data, how these numbers relate to risk, and why acting on your findings will lead to enablement.

Reframe Your Approach
Adding much-needed context to your metrics provides these benefits to you and your department:

  • Strategic Investments: Once you contextualize your data and clearly show how your department’s actions are better enabling the entire company, the rest of the C-suite will see the true value of your existence. Instead of thinking that your team is a group of people that sits in a silo, they’ll understand the daily impact you have on every single department. Therefore, they will be more willing to support you when you ask for additional funding and investments in security systems and tools.
  • More Trust and Credibility: Fostering a deeper understanding of how information security contributes to the overall well-being of the company will change the way other leaders interact with you. Rather than thinking your greatest contribution to the business is deploying patches, they’ll see you as a key resource when it comes to risk assessment and deploying high-level decision making.
  • Professional Fulfillment: Information security is a profession with a notoriously high level of turnover, mainly because of the reason I felt compelled to write this article: It’s just so difficult to convey your contributions to the rest of the company and get other leaders on board with your mission. Thanks to the trust, credibility, and respect you build through your revamped communication style, your job will feel much more fulfilling, and your footing as a company leader will be cemented for years to come.  

There’s no question that information security involves highly complex technical language and metrics, but that doesn’t mean you have to use only these terms when communicating with your senior-level cohorts. Build company-wide understanding around security by adding big-picture context to your metrics, and reap the rewards of trust, support, and career happiness.

Related Content:

Andrew Storms serves as the vice president of security services at New Context. He has been leading IT, security and compliance teams for the past two decades at companies like CloudPassage, nCircle and Tripwire. Storms' advocacy on IT security issues has appeared in CNBC, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...