Influential Business Leaders in Security services | CIO Look
Wisegate_GeekSpeak_LG
1. WISEGATEIT.COM
Geek Speak for the C-Suite
HOW TO EFFECTIVELY
COMMUNICATE SECURITY
RISKS TO THE BOARD
with insights from Brian O’Hara, ISO, Do It Best Corp
2. 2GEEK SPEAK FOR THE C-SUITE
This question is all too familiar. Wisegate member Brian O’Hara, ISO at Do It Best Corp, recently held a
roundtable with senior IT professionals to address the difficulties of communicating with senior company
executives. The driving force behind much of infosecurity today is risk management. But in order to
manage risk, CISOs need to explain that risk to Business management - and that is not easy.
“Believe me,” O’Hara said, the roundtable presenter said, “[Senior executives] understand risk extremely
well - they just don’t always understand the geek-speak that we use when we talk to them about IT-related
risk, PCI risk, or compliance risk.”
In these meetings, two mistakes often happen: IT professionals are too honest instead of diplomatic, and they
only explain the risk without having a solution.
The truth is, IT security teams have to learn about Business language; because Business doesn’t understand
the geek-speak of security. Learning to communicate effectively with the C-suite can make IT professionals
feel more confident answering questions (like “Are we safe?”) and, in turn, feel safer in their positions.
Based on the roundtable discussions, led by O’Hara, we’ve put together a list of tips to help you communicate
confidently with the C-Suite.
Best of luck,
Wisegate
Dear “in a tough spot” Wisegate member,
Dear Wisegate,
I have an important board meeting
approaching. I’ve been asked to provide a
status update outlining the assessment of my
company’s risks. How do I best communicate
my risk assessment to the very nervous, and
not very IT savvy, board while also shielding
myself (and the future of my job here) from
their resulting anger or nerves?
Sincerely,
Wisegate member in a tough spot
3. 3GEEK SPEAK FOR THE C-SUITE
WHERE DOES RISK ORIGINATE?
Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design,
development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and
disasters as well as a deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.
WHAT ARE THE STANDARDS FOR MITIGATING RISK?
Several risk management standards have been developed including the Project Management Institute, the
National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions
and goals vary widely according to whether the risk management method is in the context of project
management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public
health and safety.
Understanding Risk Management
risk man.age.ment
noun
(in business) is the identification, assessment,
and prioritization of risks followed by coordinated
and economical application of resources to
minimize, monitor, and control the probability
and/or impact of unfortunate events or to
maximize the realization of opportunities.
4. 4GEEK SPEAK FOR THE C-SUITE
Understanding the board’s risk tolerance is important to finding the right level for communication. This can,
of course, be aggravated if the Board itself isn’t aware. Often, neither side understands that the company
has a very high risk tolerance.
WHAT IS RISK TOLERANCE?
The degree of variability in investment returns that an individual is willing to withstand. Risk tolerance
is an important component in investing. An individual should have a realistic understanding of his or her
ability and willingness to stomach large swings in the value of his or her investments. Investors who take
on too much risk may panic and sell at the wrong time.
Step One:
Understand Your Company’s Risk Tolerance
The real answer is the board of directors. If there is no board, then it falls on the CEO.
This board also owns the risk of subsidiaries. If a subsidiary is breached and sued, the lawyers will come after
the part of the company with the deepest pockets - and that will be the parent company. Security is often
the bearer of bad news, and how that bad news is presented is a critical part of whether the messenger gets
shot or praised.
Step Two:
Identify Who Owns the Risk
CATEGORIES OF RISK:
• Operational/Transactional
• Compliance
• Financial
• Reputational
TYPES OF RISK:
• Inherent
• Identified
• Unidentified
• Acceptable
• Unacceptable
• Residual
5. 5GEEK SPEAK FOR THE C-SUITE
When talking to the C-suite, it is important to understand where their priorities stand.
RISK MANAGEMENT
Business may have a proprietorial attitude towards risk management. It originated in the financial world,
which Business understands; but is now being explained by the security world, which Business does not
understand. This is aggravated when the board is suddenly presented with a huge and expensive risk that
they do not understand.
Ultimately, the C-suite wants to ensure their name doesn’t appear on the news.
Step Four:
Identify Topics of Most Interest to Executives
One of the hardest decisions for security professionals is selecting a risk management framework. Most
executives don’t know or care about the differences of ISO or ISO 31000, NIST or COBIT. What business is
interested in is the bottom line: what makes me money, what costs me money, and how scary is this?
For security professionals, it is important to consider which framework is going to be the easiest to help you
get the job done, and does it do a good job of it?
Step Three:
Explore Risk Management Frameworks
RISK MANAGEMENT FRAMEWORKS:
• NIST 800 - Federal
• DHHS - Health Care
• HiTrust – Healthcare and PCI
• ISO 31000 – International
• Risk Management Framework (FISMA) - Federal
• COBIT 5 – Financials
6. 6GEEK SPEAK FOR THE C-SUITE
ARE WE PROTECTED?
What the Board really wants to know is that the company is safe, which makes the answer to ‘Am I safe?’ very
tricky. Ponder this in advance of being asked. Be mindful how you answer the question, as it can get you fired,
or it can get you promoted.
HOW DOES IT IMPACT THE BOTTOM LINE?
Financial risk is easily quantified while security risk is almost impossible to quantify. In the example of BYOD,
as a security professional, you understand the amount of devices connecting to your network. How do you
quantify the risk associated with something like that? It’s extremely difficult, if even possible.
At the end of the day it’s about money and operations, and executives are in business to make money. This
provides a perfect opportunity to launch into a discussion about risk management strategies to reduce risks
to acceptable levels.
This is where the true hard work begins. Instead of sparking fear, uncertainty and doubt, earn respect
through presenting a strong plan that aligns with the overall strategic business strategy.
A successful pitch will highlight what you’ve been able to do with other projects. When you are able to show
executives a track record of problems and solutions, it establishes trust with the team.
Step Five:
Create Solutions, Not Problems
7. 7GEEK SPEAK FOR THE C-SUITE
SEEK TO UNDERSTAND, THEN TO BE UNDERSTOOD
People approach the C-suite with problems all day, often without solutions. Try to understand their problems
before you try to get them to understand yours.
BE PREPARED AND EXPLORE OPTIONS
Do your homework and explore other options. Research three to five options and be ready to explain
what the differences are, and the pros and cons of each. If you are only prepared to push your own cause,
you won’t get very far.
It’s a security professional’s job to stay focused on fixing the problem, and to remain open and flexible in
considering multiple solutions.
Don’t forget to:
Summary
The bottom line is that the board wants to know if it is safe. It neither understands
nor cares about firewalls, data leak prevention, and zero-day threats - it just wants
to be safe. Security needs to think long and hard about how it is going to answer
that question. That requires understanding the Business; its risk tolerance levels,
its commercial position, and the board’s business and personal motivations.
Make the board’s problems your own problems and then solve them. Research
and create solutions that will gain you your own job security. That’s what effective
risk management is about.