How to communicate security risks to senior management

2011-07-26 by . 0 comments

Post to Twitter

Despite the security industry getting ever more professional, with well trained teams, security incidents seem to be increasing. Just look at the news recently:

  • Sony – 23 incidents so far?
  • UK NHS Laptop – over 8 million patient records
  • Citibank – 200,000 customer records lost
  • WordPress platform vulnerabilities (see Steve Lord’s presentations on this)
  • Stuxnet – targeted at a specific use

From the 2011 Verizon DBIR

  • 761 breaches of which 87% were in Hospitality, Retail and Financial Services
  • 436 of these were in companies with 11-100 employees – so this is not just a problem for the big targets any more
  • 92% of attacks (leading to 99% of records compromised) were external

Some new threat groups:

Anonymous and LulzSec – often punitive, sometimes for the Lulz

  • HBGary
  • ACS Law
  • Spanish Police
  • FBI, CIA
  • Porn sites
  • Took requests

So what do the security professionals do?

  • After an audit fix vulnerabilities
  • After an attack, fix the issues
  • Use encryption and strong authentication
  • Patch regularly
  • Validate input, encode output
  • Assess your 3rd parties
  • Use a Secure Development Lifecycle
  • Build security into everything you do

No problem, right?  If only it were that easy…

Your CEO wants the business to make money, so wants to minimise bottom line spend but will spend appropriately on risks to the business.

So why doesn’t the CEO see these security issues as business risks?

  • Maybe they aren’t significant when compared to other business risks
  • Or perhaps the CEO just doesn’t understand the latest security threat

Both of these are your problems. The security community is often called the ‘echo chamber’ for a good reason – we say good things and have good ideas about how to fix security issues, but we pretty much only communicate with other enlightened security professionals. We need to tell others in a way they can understand – but in general we talk technical 1337 speak full of jargon and no one can make head or tail of it.

It is up to you, the security professional to learn how to talk the language of business risk

There are materials out there that will help you:

Begin to understand what is important to a business executive and how they talk about it, and you are already well on the way to being able to articulate security in the same way. If you are a manager of security professionals, make it easy for them to gain exposure to heads of business, C-suite, executive, directors etc. and it is likely to benefit you in the long run.

These are good questions to prepare you for conversations you may have along the way

Comments are closed.