5. If The Business Doesn't Support You, Your Communication Is Failing
It is a common refrain that security teams are under-resourced and under-staffed, and that they are not supported by the business. If that is truly the case, you're probably in the wrong place. But what often happens – and is something we at least have control over – is that we fail to communicate in a language that the business understands.
Talking To Ourselves
Many of us in #infosec come from technical background, and many get an introduction to our culture from hacker and cybersecurity conferences. The talks there are often highly technical, and even if more abstract, filled with jargon unique to the field. Vendors and analyst firms add an additional layer to this, that is hard to follow even if you are in the industry.
You are probably not going to get heard if you ask for funding to implement protections against the OWASP Top 10, deploy a WAF/IPS, cycle vulnerabilities with HIGH and CRITICAL CVE ratings, implement MFA and embark on a multi-year Zero Trust Architecture deployment.
Talk In Terms of Business Risk
Senior executives go from crisis to crisis and only what is most urgent will occupy their attention. They manage all kinds of business risks, of which security may not be on their radar at all.
But they do understand probability of risks and financial impact. Your organization almost certainly already has established scales for probability and financial impact thresholds that can be plotted on a 4x4 or 5x5 grid to articulate business risks. When security risks are communicated similar to how business risks are communicated, it is much easier for executives to compare where they sit relatively to other risks they need to manage.
Learn How to Prepare an Executive Deck
It seems only rarely anybody teaches you how to prepare a proper executive deck, and you tend to learn by participating in the process. As this process can easily lead to multiple editors changing language to the point of meaninglessness, the more you can get your deck into the expected shape, the less likely it is that people without domain knowledge will make changes before it is presented.
- Everything you want to say must fit in 3 slides maximum
- Make sure all that is most important to you is in the first slide — there is a realistic possibility you may not get beyond the first slide
- Realize that many execs are high-speed information absorbers, so get to the point immediately. Make your point in 5-10 minutes
Prepare a Realistic Plan, including Budget and Number of Resources
The last thing you want is to succeed in getting attention and support, and have no answer when you are asked what you need to bring down the risk. That is your opportunity wasted. Make sure you have a budget and resource plan ready that shows what you are going to do, justifies the budget and articulates how this reduces business risks. Include clear milestones, dates and meaningful progress metrics that can be reported on.
Good communication typically comes from placing yourself into the position of others, and speak to them in language they understand. A good start there is to read any corporate strategy documents you can find, and align your message with its main messaging and how security supports that. You are bound to get a lot more traction that way.
cloud security posts without corporate approval @jaythvv@infosec.exchange