Information Security Disconnected from Management?
The information security software firm, Tripwire, released the interesting results of a “state of risk-based security management” study performed in conjunction with the Ponemon Institute. (The link above is to the press release and summary. The complete study is downloadable in parts – not a good idea, Tripwire – from this location.)
The study has some disturbing comments:
- According to the study, not only do two thirds of IT professionals fail to communicate security risks, but 59% filter negative facts before they are disclosed!
- About half said that communication between security risk management and business personnel is “poor, nonexistent, or adversarial”.
Tripwire’s CTO is quoted as saying:
“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives. However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”
In my opinion, Dwayne (the CTO) has this backwards.
These IT professionals need to communicate business risks – the potential effect on the business and its objectives from a potential information security exposure.
Talking about security risks is using a language that the business executives don’t speak naturally, one that does not communicate how their and the organization’s success might be affected.
As my good friend Jay Taylor says, and ISACA in its guidance reiterates, there is no such thing as IT risk – only the business risk created from an IT-related issue. For example, the loss of a server farm is not the risk; the risk is the effect of that loss on the business, such as the inability to support normal business operations such as accounting, sales, etc. which leads to loss of revenue.
Yes, IT professionals need to (as Dwayne says) “develop new communication skills”. They need to learn how to communicate in the language of the business. They need to talk about IT-related business risk, and cut out the techno-babble of “information security risk”.
Let’s not put all the blame for poor communications on IT. The business and especially any risk management personnel need to translate any techno-babble into business risk. They must not accept talk of “IT risk”. In the process, they can help the IT staff learn to speak the language of the business.
Just my opinion. What is yours?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Amen Norman!
You are preaching my favorite sermon!
These findings do not surprise us, but are still disturbing. We continue to see far too many risk managers who believe that it is there job to report good findings rather than actual conditions. This can be caused by various forms of optimism bias or just plain not understanding that they are denying management the opportunity to act on the real situation. Other times though we’ve seen management marginalize or ignore risk assessments, believing the risk assessments have no business value. In the end, risk management still has a long way to go as we evangelize our value.
Absolutely spot on! There are definite silos between IT, IT Security and ‘the Business’ in so many; perhaps most, organisations. Once of the reasons why so many organisations are driving into the Cloud is because they have little faith in their IT department.
We have investigated so many breaches where the IT department have; to varying degrees, sought to either cover up the breach or ‘translate’ it into a service issue. Many incidents are not properly investigated because evidence vital to the understanding of the causes – and even the extent of the impact, is needlessly ‘washed away’ by IT staff hell-bent on recovery and saving face.
I agree also that it is the job of the risk and audit professionals to translate ‘coal-face’ terminology describing risk into a form that is business-readable. It is not the job of the IT department to do this.
Duane should have said, “… Changing this paradigm will require security professionals to develop new communication skills so they can talk with senior leaders about risks to achieving key business goals and objectives including those that arise from security issues. These things are clearly relevant to those controlling the purse strings and remediation efforts. Security professionals and auditors should reverse their typical thought process and ask leadership ‘what must go right in your business to achieve your objectives’, then explain how security risks actually hinder their abillity to be successful”.
Anyone finding these results surprising has not paid attention, or just removed their head from the sand. I suspect management has been minimizing business risk related to IT since the first set of punch cards got loaded into the Univac. IT managers have worried about risk and what could go wrong for just as long.
IT security professionals frequently sound like ‘the little boy who cried wolf’ wailing about all the things which might go wrong and assuming a ‘don’t do XXXX’ posture.
Business management (sales, mfg., even finance) frequently assumes all of this knashing of teeth is nothing more than a ploy to get the IT budget increased by obstructing legitimate business plans with tales of false or unlikely to occur events.
My experience is that managers do not need nor want to know all of the IT related business risks. The enlightened ones do want to know what risks (IT related or not) might interfere with achieving objectives, the likelihood of risk occurrence and the mitigation cost.
If the IT staff and the business managers understand each other (notice I didn’t say speak the same language) management can make a more informed mitigation decision. Otherwise, the business remains more vulnerable to disruption because a less optimal decision was made.
Pardon my cynicism, but the discussion about IT-speak and business-speak has been around a long time and covered many different points in the IT-business user universe. I guess it’s now reached the risk contact point.
Hi, Norman – we’re more in agreement than you realize. I think the tendency of IT / Infosec to default to techno-babble is a big part of the problem. My premise is that IT execs need to take the extra effort of translating that jargon into business-recognizable, business-relevant information that encourages the rest of the business to engage in the right conversation.
Too many of the metrics packages, exec presentations, etc. are full of mounds of data that don’t mean anything to a typical CFO or business unit manager. If the same data were refactored into something they instantly recognized as supportive of the business’s goals, they wouldn’t glaze over – they’d engage.
I also agree with Jay’s assertion that there’s no such thing as IT risk, only business risk. I also believe it is up to IT execs to translate the risks they see from their unique vantage points into business risks before presenting them to other execs.
I also agree that business bears some of the burden of making poor communications more effective. However, I think IT has the most to lose if their contribution to that business risk discussion is overlooked because they don’t know how to inject their data into the discussion in a meaningful way. As I always say, “We must take responsibility for our own well-being.”
By the way – this is an area I’m passionate about – here’s a recent example of my thoughts on this topic: http://www.tripwire.com/state-of-security/security-data-protection/doctor-my-ceo-doesnt-understand-security/
This ain’t news. IMO there’s plenty of blame to go around. Security people who don’t speak business, CIOs who bury IT security down in their departments, businesspeople who don’t want an accurate portrayal of accurate risks. Of course there are also some companies who take a more progressive approach, and should be emulated.
I do think it’s telling, though, that the IIA (for example) has boatloads of good information and guidance and discussion around Enterprise Risk Management, whereas I have seen very little intellectual property or messaging on the topic from the InfoSec world thus far. And I think ERM is information security’s best chance of connecting to language and concepts that resonate with corporate leadership. Security has to get out of its stovepipe – I like Dwayne’s formulate above, “IT has the most to lose if their contribution to that business risk discussion is overlooked because they don’t know how to inject their data into the discussion in a meaningful way.” And I disagree STRENUOUSLY with Neil’s statement that it isn’t IT’s job to translate technical jargon into business language.
I have been writing about this for several years now, and I’ll spare you all the links going back to my earlier CSO Magazine days, but here’s a recent attempt to put this on the radar for CIOs:
“W. Edwards Deming hates your approach to IT security”
http://www.fiercecio.com/story/w-edwards-deming-hates-your-approach-it-security/2013-08-19
Kudos Derek! The PCI Council and the annual Verizon breach report both recommended FAIRiq as a means to quantitatively measure risk…google it!
So it is always IT that has to learn business language? They work on accounting, logistics and manufacturing systems, they cross all disciplines — so they need to learn it all? And you might think IT is highly paid, but they are not as well paid as the business managers they communicate with…. shouldn’t it be the highly compensated folks who run the business responsibility to learn all the business? Not the dedicated non-managerial employees?
Sometimes I get the feeling from business – that they don’t want to understand how their system works, and they take pride in not knowing. But all of business is dependent on their systems, and it is management who makes the decisions about purchasing packages/systems – it is business that sets deadlines, shouldn’t they take responsibility for understanding cyber security issues and being able to translate factual IT risk into business risk?