Earlier this month, I wrote the first blog post in a series based on a World Cafe discussion we had around the lacking relations between policies and measures in many organizations. The discussion took place in the form of 4 debate rounds. In the previous blog post, I presented Information Security as a necessity of life. There is no doubt that Information Security is a very important topic for most organizations, but during the debate, many participants were uncertain as to whether, and how to communicate to the rest of the company about it. In this blog post, I will present the conclusions of this discussion.
Communicate the issue and a solution
My first question when discussing communication about risk and security in architecture was: Do you need to communicate it? And if the answer is yes: To whom? And what? This caused quite a debate among participants. The overall conclusion was that communication is in fact integral, and decision-makers are our target audience, since the business needs to be well informed to make the right decisions about rightsizing the measures. Answering the second question: what do we communicate? was much more difficult, since the differences between business decision-makers are enormous. Personal interests, backgrounds, levels of education and professional sector often vary. Nonetheless we were able to come up with a list of good practices.
7 best practices: communicating enterprise risks and information security
- Risk does not hurt. The impact does!
- Use metaphors
- Show concrete examples
- Test security
- Stakeholder specific communication
- Don’t use jargon, and if you really have to, use business jargon
- Make it personal
For each best practice, we will try to explain what you can do, and how it contributes to understanding information security risks and measures.
1. Risk does not hurt. The impact does!
Typically, risk managers and security architects try to gain the attention of their managers in two different ways. One popular method, is to target fear and pain. They communicate the potential impact of risks on the business. Alternatively, some attendees suggested presenting the potential gain of being successful in security, e.g. more trust from customers. Most attendees are most successful selling fear over selling the gain of being secure.
2. Use metaphors
Metaphors are extremely effective in communicating more complex concepts to your business management team. For example, you can simplify the discussion, by comparing information security to insurance. Everybody has some form of insurance. Many people have more insurance than they really need. Most people hope they will never need it, but they have them anyway, just in case. Other participants mentioned the metaphor of traffic. Perhaps some managers like driving at a high speed. They probably know that things can go wrong, and they could end up with some form of penalty, but often they are willing to accept this risk. Some managers might never drive more than 50kmph above the limit, because they know they might lose their license. Others might use apps to determine where police has its checkpoints. When you use metaphors, risks can be easier to understand than most abstract cybersecurity terminology. This helps to advocate the important of risk management.
3. Show concrete examples
Raymond Slot presented that only 6% of hacks are made public. They however really help in learning what might be the loss from breaches. Use these! Preferably from your own industry and/or country, to make it come as close to your business as possible.
4. Test security
Every other month we stand in front of the building after yet another fire drill. Inconvenient and annoying, but we all understand that it has some sort of purpose. Real-life testing of computer issues is done with penetration tests, for instance. But the business itself and the management team are hardly ever affected by these tests. Some attendees in our discussions have good experiences with real life testing security leaks, attacks and downtime tests. This does not only provide you with relevant information, but also helps to give your stakeholders the right sense of urgency arout the topic.
5. Stakeholder specific communication
“The business” is not one person. It is a large audience ranging from on-the-floor-employees, team leaders, non-tech, semi-tech and technical audience to board members and maybe even sourcing partners. These groups have different information needs and require different communication styles. Some people in the audience create communication strategies to periodically present the right security information, through the right channel to the right internal audience.
Some have good experiences with “miffy-style” communication to management, where others advise not to offend managers by presenting information as if to a child.
6. Don’t use jargon, and if you really have to, use business jargon
Architects understand the distinction between conceptual, logical and physical models and consider the methods that need to be applied. But manager don’t care…. at all! The only jargon they are fluent in, is the jargon of your business. Money, speed and risk is the jargon to use in the boardroom. Some of the attendees in our workshop build their case for implementing measures around potential loss occurring from financial risks. This seems to really help them engage board members in the topic of information security.
7. Make it personal
The key message that should be ingrained in a business manager’s mind after a meeting on information security awareness should be: “this is a serious issue”. Or more concretely: “This affects me/my position/my people/my customers/my career”. Discussing these topics only at large meetings will not really help you to get feedback and learn if your message has landed. Do not talk at managers you want to have on board of your information security train, but talk with them!
What are your main challenges regarding Enterprise Risk & Security? Please share your thoughts, experience and ideas in the comments, or use the social buttons on this page.
And of course, stay tuned for the next blog post in this series, which will discuss: What Really Works to Build Information Security Awareness?