Making the Case for Security — In Plain Language
Translating cybersecurity into layman’s terms isn’t easy, especially when it comes to explaining why senior leaders should care about issues such as continuous monitoring or public key infrastructure.
But one thing all executives understand is that any downtime in operations could mean a major loss in productivity and revenue and cripple their ability to provide citizen services.
“The game changer is not speaking IT, not speaking information security, but speaking business value or mission value,” Peter Gouldmann, director of information risk programs at the State Department’s Office of Information Assurance, told the audience at a cybersecurity conference. “Go to the table and say, ‘How can you improve your effectiveness and your mission, and how can I be a part of it? What does success look like to you?’”
Securing a Seat at the Table
But first you have to get around the table to have that discussion. One way is through a casual conversation with senior leaders about incidents like the massive Target breach late last year, in which cyberthieves nabbed customers’ personal data. “There is a lesson for everyone,” Gouldmann said Monday during a panel discussion at CyberSecureGov 2014 in Arlington, Va. “Every senior professional wants to know, How much should I care?”
Consider the recent news about a security vulnerability found in Microsoft’s Internet Explorer. The first question from most senior officials was, “What does this mean for me at home? How does it affect me?” Gouldmann said.
Making security personal is key, he noted. “If you do that, [senior leaders] will subconsciously bring that [mindset] to the workplace.”
Tying Security to the Mission
He also recommends that information security professionals explain security in the context of the agency’s business goals. Ask executives what would happen if they couldn’t access their information for a day or what would happen if someone gained unauthorized access to agency data, Gouldmann said. “It’s our job to take that business information and translate that into the appropriate level of protection.”
The chief information security officer is like a marketer and chief, explained Erik Avakian, who serves as Pennsylvania’s CISO. The person in that role has to articulate how cybersecurity investments align with IT initiatives and the agency’s overall strategic plan. Those working in the security and IT arena have their own language, though, and often that language is misunderstood.
“The first thing I’d recommend is changing the language,” Avakian said. “Learn how your senior leadership communicate, and learn how to communicate with them.”