WISEGATEIT.COM

Geek Speak for the C-Suite

HOW TO EFFECTIVELY COMMUNICATE SECURIT Y

RISKS TO THE BOARD

2GEEK SPEAK FOR THE C-SUITE

This question is all too familiar. We recently held a roundtable with senior IT professionals to address the difficulties of communicating with senior company executives. The driving force behind much of infosecurity today is risk management. But in order to manage risk, CISOs need to explain that risk to Business management - and that is not easy.

“Believe me,” the roundtable presenter said, “[Senior executives] understand risk extremely well - they just don’t always understand the geek-speak that we use when we talk to them about IT-related risk, PCI risk, or compliance risk.”

In these meetings, two mistakes often happen: IT professionals are too honest instead of diplomatic, and they only explain the risk without having a solution.

The truth is, IT security teams have to learn about Business language; because Business doesn’t understand the geek-speak of security. Learning to communicate effectively with the C-suite can make IT professionals feel more confident answering questions (like “Are we safe?”) and, in turn, feel safer in their positions.

Based on the roundtable discussions, we’ve put together a list of tips to help you communicate confidently with the C-Suite.

Best of luck,Wisegate

Dear “in a tough spot” Wisegate member,

Dear Wisegate,I have an important board meeting approaching. I’ve been asked to provide a status update outlining the assessment of my company’s risks. How do I best communicate my risk assessment to the very nervous, and not very IT savvy, board while also shielding myself (and the future of my job here) from their resulting anger or nerves?

Sincerely,Wisegate member in a tough spot

3GEEK SPEAK FOR THE C-SUITE

WHERE DOES RISK ORIGINATE? Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as a deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.

WHAT ARE THE STANDARDS FOR MITIGATING RISK? Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

Understanding Risk Management

risk man.age.ment noun(in business) is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

4GEEK SPEAK FOR THE C-SUITE

Understanding the board’s risk tolerance is important to finding the right level for communication. This can, of course, be aggravated if the Board itself isn’t aware. Often, neither side understands that the company has a very high risk tolerance.

WHAT IS RISK TOLERANCE? The degree of variability in investment returns that an individual is willing to withstand. Risk tolerance is an important component in investing. An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value of his or her investments. Investors who take on too much risk may panic and sell at the wrong time.

Step One: Understand Your Company’s Risk Tolerance

The real answer is the board of directors. If there is no board, then it falls on the CEO.

This board also owns the risk of subsidiaries. If a subsidiary is breached and sued, the lawyers will come after the part of the company with the deepest pockets - and that will be the parent company. Security is often the bearer of bad news, and how that bad news is presented is a critical part of whether the messenger gets shot or praised.

Step Two: Identify Who Owns the Risk

CATEGORIES OF RISK:• Operational/Transactional• Compliance• Financial• Reputational

TYPES OF RISK:• Inherent• Identified• Unidentified• Acceptable• Unacceptable• Residual

5GEEK SPEAK FOR THE C-SUITE

When talking to the C-suite, it is important to understand where their priorities stand.

RISK MANAGEMENT Business may have a proprietorial attitude towards risk management. It originated in the financial world, which Business understands; but is now being explained by the security world, which Business does not understand. This is aggravated when the board is suddenly presented with a huge and expensive risk that they do not understand.

Ultimately, the C-suite wants to ensure their name doesn’t appear on the news.

Step Four: Identify Topics of Most Interest to Executives

One of the hardest decisions for security professionals is selecting a risk management framework. Most executives don’t know or care about the differences of ISO or ISO 31000, NIST or COBIT. What business is interested in is the bottom line: what makes me money, what costs me money, and how scary is this?

For security professionals, it is important to consider which framework is going to be the easiest to help you get the job done, and does it do a good job of it?

Step Three: Explore Risk Management Frameworks

RISK MANAGEMENT FRAMEWORKS: • NIST 800 - Federal• DHHS - Health Care• HiTrust – Healthcare and PCI• ISO 31000 – International• Risk Management Framework (FISMA) - Federal• COBIT 5 – Financials

6GEEK SPEAK FOR THE C-SUITE

ARE WE PROTECTED? What the Board really wants to know is that the company is safe, which makes the answer to ‘Am I safe?’ very tricky. Ponder this in advance of being asked. Be mindful how you answer the question, as it can get you fired, or it can get you promoted.

HOW DOES IT IMPACT THE BOTTOM LINE? Financial risk is easily quantified while security risk is almost impossible to quantify. In the example of BYOD, as a security professional, you understand the amount of devices connecting to your network. How do you quantify the risk associated with something like that? It’s extremely difficult, if even possible.

At the end of the day it’s about money and operations, and executives are in business to make money. This provides a perfect opportunity to launch into a discussion about risk management strategies to reduce risks to acceptable levels.

This is where the true hard work begins. Instead of sparking fear, uncertainty and doubt, earn respect through presenting a strong plan that aligns with the overall strategic business strategy.

A successful pitch will highlight what you’ve been able to do with other projects. When you are able to show executives a track record of problems and solutions, it establishes trust with the team.

Step Five: Create Solutions, Not Problems

7GEEK SPEAK FOR THE C-SUITE

SEEK TO UNDERSTAND, THEN TO BE UNDERSTOODPeople approach the C-suite with problems all day, often without solutions. Try to understand their problems before you try to get them to understand yours.

BE PREPARED AND EXPLORE OPTIONSDo your homework and explore other options. Research three to five options and be ready to explain what the differences are, and the pros and cons of each. If you are only prepared to push your own cause, you won’t get very far.

It’s a security professional’s job to stay focused on fixing the problem, and to remain open and flexible in considering multiple solutions.

Don’t forget to:

SummaryThe bottom line is that the board wants to know if it is safe. It neither understands nor cares about firewalls, data leak prevention, and zero-day threats - it just wants to be safe. Security needs to think long and hard about how it is going to answer that question. That requires understanding the Business; its risk tolerance levels, its commercial position, and the board’s business and personal motivations.

Make the board’s problems your own problems and then solve them. Research and create solutions that will gain you your own job security. That’s what effective risk management is about.