In December 2012, I attended an event that included a large number of security executives from various US federal government departments.
What materialised over the course of the meetings were more than few excellent discussions on the topic of how to better connect the efforts of the security teams to the specific missions of their respective agencies.
Aside from the never ending task of securing critical systems and the sensitive data they contain, one of biggest and arguably most difficult challenges for leadership is effectively communicating the value of security to all parts of the organisation.
Key to this effort is first recognising how to create the opportunity to present the infosec value proposition, then knowing how to craft the message so that it is accessible and actionable to a diverse audience, many of whom may still believe security efforts to be tangential to the organisation's central mission.
After chairing multiple boardroom discussions with several dozen CISOs, CSOs, CIOs, etc, who talked openly about the obstacles they face in communicating this fundamental but novel notion, one specific issue consistently emerged: Finding the right ‘translator' within the organisation to make the case.
An effective translator is one who not only possesses the acumen required to understand information systems and security protocols from a technical perspective, but who also has the capacity to communicate the ‘why' of security to a non-technical audience in a way that truly resonates.
The ability to translate the value of security as a core aspect of an organisation's mission - not as a separate function divorced from the organisation's purpose - is an essential skill for the success of information security teams now more than ever, and the need to effectively connect security directly to the business mission will only continue to grow in importance.
As the conversations progressed, we were able to identify some key strategies for building these translation skills within our teams. The best ideas to emerge from the discussions included:
- Internal audit and/or IS audit staff: They already know how to deal with both the technology and business management teams, and they have a thorough understanding of risk mitigation and applicable controls
- Marketing staff: Yes, that's right, the marketing staff. One of the federal agencies participating in the discussions found great success in tapping their marketing team to create ‘executive dashboards' to help with the translation. They had the reporting team interview the very executives who would be consuming the reports, and used the information they gleaned to develop crisp, clear dashboards that the executives actually looked forward to.
So how do these strategies and suggestions compare to your own experience in attempting to better connect security to your organisation's mission? Is a communication skills gap impeding your organisation's success when it comes to making the translation? Or, if you've already solved this problem in your organisation, what were the factors that were instrumental in bridging the gap?
The event in December underscored the fact that many are just beginning to address these challenges, and through these sorts of discussions and the sharing of new ideas, it is clear that there are several viable approaches to finding the right persons to communicate the business value of security – you just have to find the one that works best for your organisation.
Dwayne Melancon is chief technology officer at Tripwire