How to improve communication between information security staff and management

Miscommunication between a business and its information security service can lead to unnecessary losses. Today we try to work out how to overcome the communication barrier.

Communication between information security service and business

No company can operate successfully without smooth cooperation between the general management and the specialists responsible for different areas of the business. Such cooperation of course requires communication, which can sometimes be difficult since managers and specialists work in different information bubbles and often speak different languages. Management thinks about profit, costs and development; specialists – and the information security service is no exception – think about their specific technical tasks.

A recent study conducted by our colleagues found that, while mutual understanding between business managers and information security specialists is generally growing, problems do still exist. In fact, 98% of the business representatives surveyed said that they experienced a misunderstanding with the information security service at least once. As for direct consequences of such a misunderstanding, 62% said that it had led to at least one security incident, while 61% reported negative impacts to the business — including losses, losing key employees, or a worsening of communication among departments. At the same time, the security professionals themselves are not always aware of any problems: 42% of business leaders would like the security specialists to communicate more clearly — but 76% of those specialists feel sure that everyone understands them perfectly!

There are often problems with the language used: managers generally don’t understand all the technical terms that information security services use. But terminology isn’t the only problem in the communication between the managers and information security — in fact, it’s not even the main problem. Let’s attempt to understand the other issues with the help of Patrick Miller, Managing Partner of Archer International, and his speech at the Kaspersky Industrial Cybersecurity Conference 2019.

Different ideas about risk

Most information security specialists have a very low risk-tolerance threshold. But in business, the opposite is true: without risk, there’s no profit, so managers are often ready to take greater risks. For the boss, the main goal is to find the ideal balance between potential profits and potential losses. The real goal of the security department, as strange as this may sound, is not to eliminate all threats but to help the business earn as much as possible.

From the business point of view, risks can be accepted, avoided, reduced, or transferred (for example, to insurers). Managers will try to take as many risks as possible to increase profits. Information security is just a small part of the picture for them: they probably don’t even want to think about it.

As a result, information security specialists should not think about how to close all the gaps, but rather how to identify and neutralize those threats that really could cause serious damage to the business. And, consequently, they should also think about how to explain to managers why it’s worth spending money on resolving something.

FUD doesn’t work

Trying to persuade managers using tactics of fear, uncertainty, and doubt (FUD) is not going to work because getting scared isn’t what the business pays the information security service for. Specialists are there to solve problems — ideally so that no one even notices that there are any.

Another problem with using FUD is that managers are already pretty stressed out, simply because any mistake they make could be their last: there are a lot of folks around who’d jump at the chance of taking their place, they don’t really trust anyone, and so on. They just don’t need any extra fear factors.

And finally, no boss likes to show that they don’t know something. Therefore, any attempts to bombard management with smart-sounding terms are obviously doomed to fail.

Think like a business

The main goal of any commercial business is to earn money. All managers look at everything from this point of view. That’s what they know how to do. Therefore, if an information security specialist comes to them and says, “a threat has appeared and we need to invest X amount of funds to neutralize it,” what the manager hears is “if we take a risk and do nothing, we’ll save X amount of funds.” Sounds crazy, but that’s exactly how business thinks.

For the manager, it’s essential that any of their actions (or inactions) results in positive financial numbers — even if such a positive number happens to be the difference between two negative ones. So, the situation must be presented to the management in a form it can understand: “There’s a threat with a Z% probability of causing Y damage to the business. We need to spend X to neutralize it.” This is an equation that makes sense to the business mindset.

Of course, it’s not always possible to realistically predict the cost of potential damage, so you can use known values such as downtime (during which the consequences of the incident would be cleaned up), the amount and type of data that could be lost or compromised, reputational losses, and so on. The business can then convert this information into understandable numbers — with the help of relevant specialists. But it’s better if the information security team can do this themselves, since it saves a lot of time.

Naturally, there’s always the possibility that the equation won’t work out in favor of information security. This isn’t always a problem of miscommunication — maybe the managers hear and understand everything perfectly, but it’s just more profitable to take the risk. Either that or information security wasn’t able to convincingly argue their position because it didn’t learn to think like a business.

The key here is to have a good grasp of the information security service’s position within the company and the profit it generates. This will make it possible to better evaluate and classify potential threats, avoid wasting your own and other people’s time and nerves on initiatives that clearly won’t go anywhere, and in general to work more efficiently.

The time factor and deadlines

For security, the time factor is crucial: some threats must be protected against immediately. But time is also important for business, because for it — time is money. You can spend the aforementioned X amount of money today, but if you do so in a month, then in skillful hands X will turn into X*n, and X*(n-1) will stay in the bank.

Even if the managers understand the problem well and know that it must be solved, they won’t rush to spend money unless they’re given a clear and well-argued deadline. They should also be notified that once the deadline passes, they automatically take responsibility for the specified risk, since then information security can only clean up the consequences.

This deadline should be as realistic as possible. If information security is always demanding a decision to be made “yesterday”, then management will stop listening and instead treat it like the boy who cried wolf. And if it’s always saying “well, you can decide within a year”, they’ll simply be fired following the next incident (or simply made redundant). It’s important to be able to assess and set the real deadline and highlight the potential risks.

It’s worth noting that very few companies simply keep reserve money in their accounts, waiting for the chief information security officer to come and tell them where to spend it as soon as possible. Funds to solve the problem will have to be taken or borrowed from somewhere, and this can take time. And, by the way, in order to understand the time it takes, it’s also important to know how the business works and is financed.

Be a marketer

To communicate effectively, information security specialists should have some marketing skills; then they can sell their solutions to the boss(es).

  • Offer a solution, not a problem. Obviously, you can’t sell a problem.
  • Whenever possible, rely on real and easily verifiable precedents. Managers love them — they reduce uncertainty.
  • Instead of technical terms, use engaging sales language and slides with colorful charts.
  • Offer several options — including the clearly unfeasible ones.
  • Fit the whole offer on one page — nobody will read any more than that.
  • Use synonyms for the expression “information security”: risk reduction, ensuring resilience/continuity of work processes, maintaining operational efficiency, downtime reduction, damage prevention, and so on.
  • Keep emotional language to a minimum and maintain a business-like, professional communication style.

What to do?

Soft skills are the key to successful business communication. You need to be able to get out of your specialized bubble and learn to talk to managers using the language and contexts they prefer. Though they might want to, they can’t dive deep into all the technical details of every department in the company. For the information security service, it’s important to recognize that you’re just one part of the business, to know how it works, and to help get the maximum income with minimum costs.

And it’s also worth checking out the results of our latest research study “Fluent in InfoSec: Are c-level executives and IT security managers on the same page?