A client of mine contacted me lately out of frustration. She was lamenting the fact that senior management in her organisation did not take information security seriously and that she struggled to get their attention. She went on to say that to her it appeared that senior management only seemed to pay lip service to their obligations in relation to information security and/or compliance with areas such as Data Protection, PCI DSS, and contractual obligations with clients. The only time information security became a topic of concern for senior management was either as the result of a security breach that was serious enough to warrant their attention, or it was in response to mainstream media headlines about a security threat. In these cases she would rather not have their attention as often she would have to go into a defensive mode as senior management demanded from her what she was doing to prevent the breach from occurring again, or what measures had she put in place to defend against the latest security threat on the news. In each of these cases she would spend more time and energy in dealing with management demands for updates and reports rather than managing the issues themselves.
She highlighted how she recently went to the senior management team to raise concerns over the organisation’s exposure to the Shellshock vulnerability. She had prepared a presentation to support her argument that systems should be taken offline so they could be patched against the vulenrabilitit. Her presentation had listed the technical issues of the bug, the systems that were impacted, and what would be required to manage the vulnerability. However, the response from management was she said “indifferent”. She did not get the go ahead to take systems offline to get them patched and was simply told to monitor the situation and if it got worse to make them aware.
To me this was a classic example of how we in information security fail to align ourselves with the business. Because our industry and jobs involve IT and technical issues we often tend to focus on the technical aspects of the role. We get caught up in the bits and bytes of each vulnerability and tool and in turn look at problems as technical problems and not as business issues. When I speak at conferences I often ask the audience how many of them have read their organisation’s Annual Report or its business plan. Quite often it is a very low percentage, less than 5 percent, will raise their hands. To me this strikes me as a core issue as to why we as professionals fail to engage with the business. If we present our arguments, proposals, and challenges as technical issues to a largely non-technical audience then we are unlikely to get the hearing we need. Instead, as I advised my client, we need to ask ourselves the question “So what?”
Every time we make a presentation, highlight a security concern, or make any submission to our business colleagues we need to ask ourselves “So what?” in response to each of the items we raise. If we cannot express an answer to the “So what?” question in plain language then we are not ready to communicate that issue. This should be an iterative process, for every statement we make to support the previous statements we should continue to ask “So what?” until we get to the main business impact the issue will have. In the above example my client should have kept asking herself the question “so what?” until she had identified what the impact of not patching Shellshock to the business would have. Clearly communicating our technical issues and their impacts on the business will move information security problems from being seen as purely technical issues that require no input from senior management to business issues that need their direct attention.
So next time you have a security problem that needs attention of senior management, simply ask yourself “So what?”
Hear more from Brian on “security as a business enabler”, recorded at Infosecurity Europe 2014:
Want to watch more Thought-Leader Insights? Check here.
Want to see Brian speaking at Infosecurity Europe 2014? Access all Keynotes and speaker presentations free here.