"I need people and I need funding to do my job properly. Executives don't get it - They want me to bulletproof their systems but don't want to listen".
Does this sound familiar? Of course, such moaning fills the room of security gathering sessions such as the any local PCI Community meeting.
IT security responsible persons usually point to Executives as a major impediment to their mission. Why is that? I think that Executives and IT Security DO work toward the same goal: "Securing the business". They differ in terms of focus, interests, beliefs, perspectives, way of working, and languages. In such circumstances it shouldn't surprise anyone that Executives and IT Security are somehow lost in translation. "Sorry I don't understand what you are saying, are you speaking Business?
How can we avoid this? How can we move these two camps closer?
Involve Executives in key security governance activities.
According to a study from the Carnegie Melon Cylab on "How Boards & Senior Executives are managing Cyber Risks” (see link at the bottom): Executives tends to:
- overlook security among their top agenda items.
- not review the policies that are set.
- not look at the roles and responsibilities assigned to key personnel.
- not review security incidents
- delegate these "IT things" to experts.
One way to make Executives sensitive to security is to involve them in key security governance activities. So although not explicitly required by PCI DSS, it would be wise to establish coordination meetings with Executives (at least twice a year) for the endorsement of key materials such as these:
- IT Risk analysis,
- security roadmap,
- security policies
- assignment of security related responsibilities.
Adopt their language and protocols.
Executives DO listen but people responsible for IT Security need to learn how to communicate effectively with them.
In this context, here are some advices shared by John South, CISO for Heartland Payment Systems in an interview: "How to talk security to the board of directors" (see link below).
- Don't be afraid to discuss security issues openly so they can understand what impact those issues may have.
- Getting them to understand the issues and to make a decision is usually a matter of managing time rather than managing information. So stay focused and go straight to the points.
- Keep in mind that Executives see things from a business perspective as opposed to a technical perspective.
- Think like a business person
- Put everything in a manner that allows them to quickly see the big picture.
- Encapsulate your security story into a business case. Show them what impact it has for the company, what impact it has for operation; what are the remediation plan(s) and associated costs.
- Use scorecards, dashboards and colors.
- Make sure they get all the information they need to take a decision BUT banish all technical terms, designs, and irrelevant info.
- As Quoted by Einstein “If you can't explain it simply, you don't understand it well enough,” Use only words that a six year old child could understand.
- Drill your presentation with non-technical audiences such as sale or marketing people.
The application of these principles could be quite challenging. Make sure to include trainings in your individual development plan to develop your presentation and communication skills. Learn to expose business cases in a very short presentation with the minimum necessary information.
What is your personal opinion/experience on this topic?
What are your suggestions for enhancing the level of cooperation ?
Did you find this newsletter valuable for the security community?
What other topics would you like to see addressed in these PCI newsletters ?
Make sure to check out our previous PCI 30 seconds newsletter: #21 - "Qualified" internal scanning staff using "appropriate" scanning tools - What does that mean?