In our last mailing, we wrote about how to talk to management about security. This time, we will address what to tell them.
It is easy to cloud the communication channels with too many details, the wrong details, or too much technical focus. Instead, concentrate on what management needs to know about the issue at hand, and what they should know in their capacity as organizational leaders. This will help them understand the problems you (and, by extension, they) are dealing with, and importantly, help you get the organizational support you need to solve them.
Every executive will want to know something different; some will be very involved and others more hands off. But many will not know what to ask and will look to you to lead the conversation. As before, we are using "management" which does not mean the immediate supervisor in IT, but the executive and board-level people for whom IT security is one of many concerns in a very busy day. The higher the audience level, obviously, the fewer details you should include. The following list is ordered so that the earlier items are suited for a higher-level audience; later items are suited to a lower-level (but still non-technical) audience.
News flashes: A year or so ago, everyone asked their security department "Could what happened to Sony happen to us?"
It is often a tough question to answer, based on the limited information, especially in the early stages, of any large, headline-making security breach. But it is good to take advantage of someone else's misfortune, and the high-level attention it gets, to get more resources for security, to press for a decision, or to show how well you are doing.
Peer comparisons: What are your neighbors doing about Topic X?
That is often the first question management will ask. Whether it comes to a particular technology such as email encryption, or larger issues such as staffing levels and organizational structure, this is always welcome information to a leader.
Risk criteria: What does a High risk mean to your organization?
Aside from the obvious concern of a reportable breach, what other impacts do you worry about? Every organization will answer this differently, but the answer should be communicated to and approved by management.
This is a narrative describing the few, most likely events that will result in a breach. It can be a dodgy vendor, a vulnerable workflow, or a key yet missing piece of technology. "Our most likely breach is when X does Y to Z". Also include the steps you are taking to prevent this, or would like to take to prevent this, but acknowledge where your risks are.
Numbers: Scope the problem.
How many systems, applications, and risks are you managing? How many attempted viruses, phishing attempts, or lost smartphones do you deal with in a month? A full-on dashboard isn't necessary, but management tends to be a quantitative audience and these sorts of stats can help communicate the size of the security challenge and its trend line over time. (Especially, when you include the size of the security organization as a denominator.)
The "Hot Corner":
A term we use for the low-likelihood, high-impact events that aren't frequent enough to become a high risk, but will be a world of hurt if they do occur. This includes floods in the data center, UPS battery fires, and a sloppy support vendor taking down a system. These risks are almost always accepted, but it's worth raising show that you are aware of them and have thought about them.
Any blockers to a project:
Anything that gets in the way of good security management, be it recalcitrant vendors, lack of funds, or other priorities. These may be able to be removed, or may be perfectly acceptable reasons for delay, but should be discussed with management rather than assumed to be known.
Face time with executives can be a scarce resource in many organizations, and concise, effective communication with them can maximize how you use it, as well as increase the executive's confidence in you and your team.