make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Learn the language of the executive suite for maximum impact

04/13/2016  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

One of the biggest frustrations I hear non-security executives voice is that their security folks are struggling to communicate the priorities of IT security in a way that has an impact for company executives. Put another way, the business executives don’t speak the technical language, so they can’t fully process the “geekspeak” that comes from their information security function.  Security leaders, of course, have a similar frustration in the other direction.  Try as they might, they can’t find a good way to get company management on board with a key security initiative. 

So, how can your message have more of an impact with executives? For starters, it’s important to translate technical information into non-technical terms. Since most business executives did not come from an IT background, we have to shift the discussion away from pings, packets, ports, and firewalls and more towards business issues.  So, rather than expecting the executives to adjust themselves to your level, adjust your message to theirs.

As a security professional, you have to frame your message in terms business people know well:

  • A company could face legal liability,
  • a disruption of operations, or
  • damage to the organization’s reputation if it suffers a breach.

Even if a security breach does not result in a direct monetary loss, there will still be financial repercussions of investigating and repairing whatever breach occurred.  Focus the message on these potential impacts and you’ll at least be in the conversation. 

Security Breach: When executives say “not us”

Be aware that some executives may still have the “not us” mindset.  You may be warning others in your company about a big security breach in the news, like what happened to Target, and then run into resistance from others in your organization saying it will never happen to you because your company is so much smaller or not in the same industry or any other of a number of “not us” reasons.

Those individuals will be difficult to win over, but keep adjusting your message and seeking an audience.  Also, find advocates who recognize the risks and rely on them to help reinforce your message to the struggling executive.  Ironically, we are often called in as a third-party to come in and tell executives exactly what their own security professionals have already been saying to them, and that’s also an effective approach.

Sometimes, security professionals struggle just to get an audience with executives. One of the things I often suggest is that people look for vehicles to leverage within your organization. For example, talk one-on-one to your chief legal counsel or to someone from internal audit. Make sure that what you have to say gets included in their reports to the executive committee.

Once you do get in front of executives, you must hone your message. Think of this as your 30-second elevator pitch, spelling out they key issues and your top priorities in clear terms. What are the two or three top things executives in your organization absolutely must know? Don’t get bogged down in details or reams of data. If you deliver the message right, executives will follow up with you for more details.

The one caveat I would add is that you don’t want to become a Chicken Little, warning that the sky is falling at every turn. You can avoid this by having mentors or colleagues help assess the importance of your message and your delivery of the information. That process can also go a long way towards shaping your message in a way that it delivers maximum impact for the executives who need to hear it.

Mark Burnette is a partner in the Information Security practice at LBMC, a premiere Tennessee-based professional services firm. Contact Mark at mburnette@lbmc.com or 615-309-2447.