March 31, 2017 By David Strom 2 min read

When it is time to talk to your senior management about information security, what is the most effective way to do so? That question was recently posed on this LinkedIn forum of IT security managers. The answers were thoughtful and varied, and can serve as good examples for your own strategy.

Discussing Security in Business Terms

One of the first comments was very specific and prescriptive: “Put the issues in business terms.” This is a common suggestion, especially when talking to executives.

“Try to shift [management’s] thinking away from it being an IT issue,” said another commenter. That way, you can create a business-based discussion and focus on the overall enterprise risk management objectives.

It’s important to relate to the particular risk appetite that your firm finds acceptable and understand how to mitigate that risk with the proper security investments. There needs to be a match — otherwise, your message won’t have the necessary impact.

Speak the Language of Management

One participant emphasized the importance of knowing your audience and conversing with executives in terms they understand. “Never talk down to them, [or] try to confuse them with buzzwords or lingo,” the security manager advised. IT professionals often get caught up in this jargon and can’t see the forest through the trees.

Another commenter said that IT managers should lead by example and share their experiences dealing with security breaches. They could explain any lessons they learned and discuss strategies to avoid breaches in the future.

It’s also crucial, an IT manager pointed out, to “speak to the social business benefits.” Some professionals place too much emphasis on business profit and loss numbers, and as such they fail to consider the many intangible factors that influence customers to buy their products and services.

Know Your Audience

Finally, IT managers should study their subjects and know their motivations. “Spend a little time upfront trying to find out what keeps your CEO and board of directors awake at night relative to information protection,” one commenter advised. “You might be surprised at the responses.”

These kinds of interviews can help set the appropriate tone for your conversation. I have often attended meetings in which several speakers repeatedly refer to acronyms, only for a participant eventually speak up to ask what it means. That can be embarrassing for everyone.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today