Earlier this month, I wrote the first blog post in a series based on a World Cafe discussion we had around the lacking relations between policies and measures in many organizations. The discussion took place in the form of 4 debate rounds. In the previous blog post, I presented Information Security as a necessity of life. There is no doubt that Information Security is a very important topic for most organizations, but during the debate, many participants were uncertain as to whether, and how to communicate to the rest of the company about it. In this blog post, I will present the conclusions of this discussion.
My first question when discussing communication about risk and security in architecture was: Do you need to communicate it? And if the answer is yes: To whom? And what? This caused quite a debate among participants. The overall conclusion was that communication is in fact integral, and decision-makers are our target audience, since the business needs to be well informed to make the right decisions about rightsizing the measures. Answering the second question: what do we communicate? was much more difficult, since the differences between business decision-makers are enormous. Personal interests, backgrounds, levels of education and professional sector often vary. Nonetheless we were able to come up with a list of good practices.
For each best practice, we will try to explain what you can do, and how it contributes to understanding information security risks and measures.
Typically, risk managers and security architects try to gain the attention of their managers in two different ways. One popular method, is to target fear and pain. They communicate the potential impact of risks on the business. Alternatively, some attendees suggested presenting the potential gain of being successful in security, e.g. more trust from customers. Most attendees are most successful selling fear over selling the gain of being secure.
Metaphors are extremely effective in communicating more complex concepts to your business management team. For example, you can simplify the discussion, by comparing information security to insurance. Everybody has some form of insurance. Many people have more insurance than they really need. Most people hope they will never need it, but they have them anyway, just in case. Other participants mentioned the metaphor of traffic. Perhaps some managers like driving at a high speed. They probably know that things can go wrong, and they could end up with some form of penalty, but often they are willing to accept this risk. Some managers might never drive more than 50kmph above the limit, because they know they might lose their license. Others might use apps to determine where police has its checkpoints. When you use metaphors, risks can be easier to understand than most abstract cybersecurity terminology. This helps to advocate the important of risk management.
Raymond Slot presented that only 6% of hacks are made public. They however really help in learning what might be the loss from breaches. Use these! Preferably from your own industry and/or country, to make it come as close to your business as possible.
Every other month we stand in front of the building after yet another fire drill. Inconvenient and annoying, but we all understand that it has some sort of purpose. Real-life testing of computer issues is done with penetration tests, for instance. But the business itself and the management team are hardly ever affected by these tests. Some attendees in our discussions have good experiences with real life testing security leaks, attacks and downtime tests. This does not only provide you with relevant information, but also helps to give your stakeholders the right sense of urgency arout the topic.
“The business” is not one person. It is a large audience ranging from on-the-floor-employees, team leaders, non-tech, semi-tech and technical audience to board members and maybe even sourcing partners. These groups have different information needs and require different communication styles. Some people in the audience create communication strategies to periodically present the right security information, through the right channel to the right internal audience.
Some have good experiences with “miffy-style” communication to management, where others advise not to offend managers by presenting information as if to a child.
Architects understand the distinction between conceptual, logical and physical models and consider the methods that need to be applied. But manager don’t care…. at all! The only jargon they are fluent in, is the jargon of your business. Money, speed and risk is the jargon to use in the boardroom. Some of the attendees in our workshop build their case for implementing measures around potential loss occurring from financial risks. This seems to really help them engage board members in the topic of information security.
The key message that should be ingrained in a business manager’s mind after a meeting on information security awareness should be: “this is a serious issue”. Or more concretely: “This affects me/my position/my people/my customers/my career”. Discussing these topics only at large meetings will not really help you to get feedback and learn if your message has landed. Do not talk at managers you want to have on board of your information security train, but talk with them!
What are your main challenges regarding Enterprise Risk & Security? Please share your thoughts, experience and ideas in the comments, or use the social buttons on this page.
And of course, stay tuned for the next blog post in this series, which will discuss: What Really Works to Build Information Security Awareness?