You may have heard “If you can't explain it simply, you don't understand it well enough.” This is a quote attributed to Albert Einstein that I immediately thought of when I read about the newly-published risk metrics findings of the Ponemon Institute study The State of Risk-Based Security Management. Of the 1,320 IT and security professionals surveyed, 59% said that security metrics information is too technical to be understood by non-technical management. Really!?
There's not a single thing associated with the technical work we do that cannot be distilled down to plain English – in business terms for business people. Why can't SQL injection be presented as a loss of customer information through the website? Why can't weak passwords or missing patches exploitable via Metasploit be communicated as a way for contractors to gain unauthorized access to intellectual property when they're onsite connected to the network?
Explaining security challenges that management can understand is possible if you make it so. You have to take off your IT hat and googles and think about how security issues impact the business at the highest level possible. The reality is, sometimes you need more information and don't currently have the tools needed to acquire that information. It's sort of a chicken and egg dilemma. You need the ammunition to back what you're saying in order to get the money and support to protect the systems that are truly at risk.
Before you spend a dime, you have to focus on yourself – how effectively you communicate and how effective you are at getting things done in IT. The Ponemon study found that 40% of IT and security pros only communicate with executives after a security incident occurs. Management is out of the loop, therefore IT is out of sight and out of mind. Furthermore, over a third of respondents said it takes too much time and resources to prepare and report metrics to executives. So what are your priorities? Goal management and time management are arguably the two most important skills you can possess as an IT professional – way more than any technical skills you'll ever acquire. Goal and time management must be mastered in order to excel this field yet they get little attention.
The new Ponemon findings are the very essence of why we cannot get management to take our work seriously. I'm convinced that IT professionals are often their own worst enemy when it comes to getting people on their side with security. Don't get me wrong. Management is certainly complicit in this dilemma. Still, you have to do your part.
Speaking “geek speak” with little regard for the bigger picture is the best way to kill your credibility and that of IT as a whole. Negate Einstein's theory. Learn to translate IT and security problems into business problems. I have to do it a lot in my work as an expert witness and writing For Dummies books. If I can do it, anyone can.
How well you “sell” yourself and your ideas define the buy-in you'll receive ultimately your overall career success. If getting others on your side is a problem then take a course and vow to work at it to get better. Ditto with goal setting and time management.
In the end, we have two choices: 1) do our part to fix the problem or 2) stop complaining that nobody gets us.