Information security professionals use words like threat, malware, virus, and attack vector to describe the dangers to an information system. None of those words resonate with the business executive. Business executives understand and speak risk and profit. So, when an information security executive needs to communicate with a business executive, they must avoid the information security jargon that can shut down a business executive’s attention. Chief Information Security Officers, as well as other information security executives, must become bilingual. They must be able to communicate with the information security analysts and other professionals that work for them and they must be able to communicate with business executives like the CEO and the Board.
To an information security professional, as well as most IT professionals, risk is automatically a bad word. I do not know how many project meetings that I have attended where the risks were highlighted in red and presented as a danger. To a business executive, risk is simply another factor that must be evaluated before making a decision. Many of the business executives with whom I have spoken have stated that it is very difficult to make money without taking risk. This is one of the fundamental differences in viewpoint between business and information security and IT. This difference causes many communication problems between these different components of an organization.
For example, when we do a risk assessment at my agency, I evaluate the findings to determine if I believe any significant risks exist. That evaluation is done with the help of the people who report to me. We discuss compliance with the various information security frameworks that we follow. We discuss any legal or statutory shortcomings. We discuss best practices. And, yes, we discuss threats, malwares, viruses, and attack vectors. We discussed mitigation methods to resolve these issues. We may have to do some research for pricing for the solutions we have discussed.
But, when I take these findings to the business executives, that is a very different conversation. I must present this information in terms of risk to the business. Will we be fined for noncompliance? Will this affect our ability to conduct business? I present the risks along with the costs and impacts of my recommendations. I use business terms and discuss the impacts and risks to the business, not to IT and not to information security. It is not my place to accept the risk, that belongs to the business units. It is the business executive who must decide whether they are willing to live with that risk and the consequences or spend the money to mitigate the risk.
If I were to present a risk that has a very low probability of occurrence with a mitigation cost of $100,000 per year and the business determines that the impact of this risk is only $5000 per occurrence, there is no way that the business will spend that money. Furthermore, unless there is a legal or compliance component involved, I would not recommend the mitigation. I did have a situation once where we did a risk assessment and determined the mitigation cost included a one-time capital expense of $600,000 and an annual operational expense of $150,000. In this case there was both a legal and a compliance issue involved. So, I asked for a meeting with the executive in charge of that part of the business. The executive and two of his directors met with me. After presenting the risk and the cost of mitigation to them, the executive asked the CEO, the CFO, and the CIO to join us. After the business executives and CEO finished discussing the business impact of this risk, they determined the annual impact could be as much as $1 billion per year. Suddenly, $600,000 didn’t sound like so much money. I will add here that we did implement the mitigation and it has stopped this event from occurring several times. So, it was money well spent.
I would like to make one last point here. The Office of Information Security in many organizations is considered to be the “Department of No!” CISOs need to work to change this image. The Office of Information Security should be thought of as the people who help the business do the things that they need to do but do it securely. We need to stop saying “No” and start saying “Sure, we can do it like this.” One way to accomplish this is to have information security involved in all project initiation meetings. Often a gentle nudge at the beginning of a project is enough to ensure project security. If you bring a project to me the day before “Go Live” then, I have no choice but to say no. I have no idea if the project is secure or not. I have tried very hard to avoid that situation. Another way is to stay in contact with the business executives. Ask them what’s on their mind. Ask them about upcoming projects. Ask them what you can do to help them. It’s important that the business executives trust the CISO.
A few weeks ago, a director at my agency heard me discussing this topic. Afterwards he came over to me and said “In all the time that I have known you, you’ve never just said no to me. You always have an idea of how we can do the project securely.” I think that was one of the nicest things that anyone has said to me at work.