Translating the value of information security

Translating the value of information security
Translating the value of information security

In December 2012, I attended an event that included a large number of security executives from various US federal government departments.

What materialised over the course of the meetings were more than few excellent discussions on the topic of how to better connect the efforts of the security teams to the specific missions of their respective agencies.

Aside from the never ending task of securing critical systems and the sensitive data they contain, one of biggest and arguably most difficult challenges for leadership is effectively communicating the value of security to all parts of the organisation.

Key to this effort is first recognising how to create the opportunity to present the infosec value proposition, then knowing how to craft the message so that it is accessible and actionable to a diverse audience, many of whom may still believe security efforts to be tangential to the organisation's central mission.

After chairing multiple boardroom discussions with several dozen CISOs, CSOs, CIOs, etc, who talked openly about the obstacles they face in communicating this fundamental but novel notion, one specific issue consistently emerged: Finding the right ‘translator' within the organisation to make the case.

An effective translator is one who not only possesses the acumen required to understand information systems and security protocols from a technical perspective, but who also has the capacity to communicate the ‘why' of security to a non-technical audience in a way that truly resonates.

The ability to translate the value of security as a core aspect of an organisation's mission - not as a separate function divorced from the organisation's purpose - is an essential skill for the success of information security teams now more than ever, and the need to effectively connect security directly to the business mission will only continue to grow in importance.

As the conversations progressed, we were able to identify some key strategies for building these translation skills within our teams. The best ideas to emerge from the discussions included:

  • During the hiring process, we look at specific competencies among the candidates for a position, so why not also look for a candidate's ability to effectively communicate the principles underlying security as a central business function or goal of the organisation?

  • For those organisations that are not in the position to seek out new staff who have the prerequisite communications skills, consider identifying existing personnel who already exhibit the right qualities, and offer them the opportunity to engage in training to further develop these abilities.

  • Often the inclination is to take a technology wonk and try to train them to speak the language of business risk, but the general consensus among the group of attendees was that it may be more effective to take someone with a strong business background and train them on the technologies behind an organisation's security initiatives, then allow them to go back to their tribe and make the case for security as a business objective.

  • Alternatively, it was suggested by more than a few participants that it may be advantageous to identify someone in a compatible role who is well suited to take on this translation task, and re-purpose their position in the organisation to include this responsibility. Potential candidates for this approach include:

    • Internal audit and/or IS audit staff: They already know how to deal with both the technology and business management teams, and they have a thorough understanding of risk mitigation and applicable controls

    • Marketing staff: Yes, that's right, the marketing staff. One of the federal agencies participating in the discussions found great success in tapping their marketing team to create ‘executive dashboards' to help with the translation. They had the reporting team interview the very executives who would be consuming the reports, and used the information they gleaned to develop crisp, clear dashboards that the executives actually looked forward to.

  • The last approach identified was simply to ‘be lucky'. This isn't necessarily a repeatable practice, but nonetheless a good number of organisations indicated they just happened upon people within their organisation who already possessed these types of translational skills. Be observant and leverage the innate abilities of your team members.
  • So how do these strategies and suggestions compare to your own experience in attempting to better connect security to your organisation's mission? Is a communication skills gap impeding your organisation's success when it comes to making the translation? Or, if you've already solved this problem in your organisation, what were the factors that were instrumental in bridging the gap?

    The event in December underscored the fact that many are just beginning to address these challenges, and through these sorts of discussions and the sharing of new ideas, it is clear that there are several viable approaches to finding the right persons to communicate the business value of security – you just have to find the one that works best for your organisation.

    Dwayne Melancon is chief technology officer at Tripwire

    close

    Next Article in Opinion

    Sign up to our newsletters