Tech & Gadgets

Information Security Disconnected from Management?

The information security software firm, Tripwire, released the interesting results of a “state of risk-based security management” study performed in conjunction with the Ponemon Institute. (The link above is to the press release and summary. The complete study is downloadable in parts – not a good idea, Tripwire – from this location.)

The study has some disturbing comments:

  1. According to the study, not only do two thirds of IT professionals fail to communicate security risks, but 59% filter negative facts before they are disclosed!
  2. About half said that communication between security risk management and business personnel is “poor, nonexistent, or adversarial”.

Tripwire’s CTO is quoted as saying:

“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives. However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”

Recommended for YouWebcast: Sales and Marketing Alignment: 7 Steps To Implement Effective Sales Enablement

In my opinion, Dwayne (the CTO) has this backwards.

These IT professionals need to communicate business risks – the potential effect on the business and its objectives from a potential information security exposure.

Talking about security risks is using a language that the business executives don’t speak naturally, one that does not communicate how their and the organization’s success might be affected.

As my good friend Jay Taylor says, and ISACA in its guidance reiterates, there is no such thing as IT risk – only the business risk created from an IT-related issue. For example, the loss of a server farm is not the risk; the risk is the effect of that loss on the business, such as the inability to support normal business operations such as accounting, sales, etc. which leads to loss of revenue.

Yes, IT professionals need to (as Dwayne says) “develop new communication skills”. They need to learn how to communicate in the language of the business. They need to talk about IT-related business risk, and cut out the techno-babble of “information security risk”.

Let’s not put all the blame for poor communications on IT. The business and especially any risk management personnel need to translate any techno-babble into business risk. They must not accept talk of “IT risk”. In the process, they can help the IT staff learn to speak the language of the business.

Just my opinion. What is yours?

  Discuss This Article

Comments: 1

  • Norman, thanks for this dialog. I agree with the points you make but I think we are more in agreement than you think.

    I agree with Jay’s assertion that there is no such thing as IT risk, but there *is* business risk. However, there is the specfic discipline of IT management, and it’s incumbent upon those responsible for IT to insure that the business risks (which they recognize from their unique point of view) are elevated and included in the ‘big picture’ business decisions made within their organizations.

    I also agree that the burden of building effective communications is the responsibility of both the business people and IT management, but I think IT has the most to lose if their message doesn’t get through. And you’re also correct that techno-babble is getting in the way of the message – as are esoteric, techie metrics and fear-based pleas for funding.

    The way I see it, we need to focus on the busiiness, use facts and objective data to guide our decisions, and have a sound control strategy – with results-based validation – that supports the business’s success..

    If the data we present and the dialog we have with other execs doesn’t drive the right (business) discussion, help us make better IT decisions, and help us improve the business we’re not doing it right.

Add a New Comment

Thank you for adding to the conversation!

Our comments are moderated. Your comment may not appear immediately.