Communicating Security Topics
What we’ll be learning
Communicating and discussing cybersecurity topics can be a challenge for many Information Technology (IT) professionals. You often find that stakeholders lack familiarity with the current threat landscape or the technical understanding needed to have valuable conversations regarding security. However, as cybersecurity threats increases, it is more critical than ever to have simple, informed, and proactive cybersecurity dialogues.
In this article, we will be learning how to communicate to stakeholders, specifically non-technical stakeholders, regarding security-related topics.
Importance of communicating security topics
In the IT industry, it is a well-known fact that many business stakeholders and some IT professionals consider security to be a blocker and a hindrance. This well-known fact is due because security requirements and risk assessments can often be quite rigorous. Due to this perception in the industry, communicating to businesses about cybersecurity can be a challenge for many security professionals and teams. That said, as cybersecurity professionals, it becomes our responsibility to ensure that communication is handled concisely and digestible for our stakeholders.
The rise in cyberattacks and data breaches requires organizations to design comprehensive and dynamic approaches to protect their organizations and their assets. So far, the best way to ensure the protection of organizations and their assets is to inform, motivate, and prioritize security measures.
The support of high-level executives such as the CEO, CTO, and CISO of a company is a great start in developing the company’s security awareness. By building awareness, effective communication of security concerns in project development will move forward efficiently. Cybersecurity professionals should be able to communicate security topics across the different levels of the business.
Types of stakeholders
There are different types of stakeholders. But, before we discuss the different types, let us understand what and who is a stakeholder. A stakeholder is considered any person or group involved in the project for any reason. It can be someone who may affect, be affected by, or perceive themselves affected by your project or program. It is imperative that security teams understand, identify and categorize their stakeholders. Projects can organize stakeholders into two main categories, Internal and External Stakeholders.
Internal stakeholders are stakeholders that are within the organization. Some of these stakeholders can be:
- Project sponsor - Typically, the person or group that has the authority to request a project and provide funding to the project.
Example: If your security organization had a new technology that they wanted to implement, like a SIEM (Security Information and Event Management), they would need a project sponsor to approve and provide funding for the project.
- Executive leadership - Typically, anyone in the upper management team or C-Suite executives, usually your CEO, CTO, CISO, or Director.
Example: Keeping with the new request for implementing a new SIEM in your security organization, you would need to present a business justification case to the executive leadership group as to why the SIEM is required, what value it will add to the company, and its cost-benefit analysis.
- End users - The internal teams that will also use the product components after completion.
Example: Departments within your organization’s security team that might benefit from the output logs from the SIEM.
- Partner Teams - Internal teams outside your direct organization interested in the project’s outcome.
Example: Another IT department within your company outside of the security team, like the Event Management team. This IT team might benefit from using the SIEM implemented by the Security Department.
External stakeholders are stakeholders that are outside the organization. Some of these stakeholders can be:
- Clients or customers - These are companies or people that will be consumers of the end product or project.
Example: The external customers’ data that the SIEM technology is for, might be configured to capture and log.
- Vendors - These are the customers sourcing the technology and services needed for the product.
Example: The vendor you would use to procure the SIEM technology for your security department.
- Competitors or opponents - Companies that offer the same or similar products or services.
What’s important to stakeholders
The importance of stakeholder groups, and the strategy you take to engage them, will depend on the outcomes needed and the available resources. To capitalize on stakeholder engagement, you need to understand what is important to your stakeholders.
Cost-Benefit: When proposing a new security technology or control for security, cybersecurity professionals will need to effectively communicate the cost of implementation and compare the derived or future benefits for the business.
Time: Projects cannot go on indefinitely. Stakeholders will need to know the proposed timelines for implementing new security projects and controls. Creating a project plan and having deadlines and milestones documented is essential.
Resources: Some Stakeholder groups will also need to know how many resources are required for your security efforts. In some cases, security teams will need to reallocate resources based on the level of effort or priority for a security effort to the department or business.
Associated Risk - Stakeholders will also need to know and understand the associated risks with your security proposal or controls. As cybersecurity professionals, you will need to understand a risk register and how this falls into your proposal for your stakeholders. Learn more about Risk Registers.
How to communicate security topics
Today, cybersecurity professionals are asked to report and proactively assess the environment and anticipate new risks. Cybersecurity professionals contribute and understand the ecosystem of both the business and IT departments to help better their organizations, protect vital operations, and take advantage of strategic opportunities. Below we will outline four key steps to help cybersecurity professionals start those conversations.
Communicate using non-technical jargon
Having conversations and getting business support is easier when speaking the same language.
A considerable part of creating and having a risk-aware organization is based on a language that everyone understands. Communicating without technical jargon and using language that everyone understands helps your organization build a shared perspective on cybersecurity and other risks. As a result, the business can make effective decisions and investments.
Usually, when discussing vulnerabilities, threats, security risks, technical terms, and data, it can confuse a non-technical person or an executive leader who is not in the weeds daily. It is crucial to find reporting metrics that speak a language everyone can understand and use tools that can help you communicate.
Lead with the risk
The best cybersecurity professionals have a holistic understanding of the overall business strategy and goals. These professionals know how these goals intersect with security and how cyber risk could potentially impact those goals. It is important to emphasize to stakeholders why proactive security measures and controls are essential and how the business is at risk if you do not implement them. In your communication, make sure to include a cost-benefit analysis for any recommendations for new security projects or implementations. Stakeholders might need frequent reminders that a proactive approach to cybersecurity is less costly to the company when compared to potential costs of breaches, both financially and to the company’s reputation. Good business and effective cybersecurity go hand in hand. Reiterate your awareness that IT and security systems should work cohesively with other parts of the business and not hinder progress.
Speak to what is relevant
When discussing security, IT professionals should be aware of their audience. Some stakeholders, like the C-Suite executives, may want a high-level report. In contrast, others may demand a more detailed technical report. Whether reporting to C-suite executives or other stakeholders groups, adapt your presentation and add appropriate context for the audience to take action.
Simplify your security conversations
Creating a culture of security awareness requires commitment and intention from your company’s top executives and managers. Maintaining a robust security posture requires company leaders to commit to security and be willing to support security initiatives. To start, try creating an environment where sharing information about security and having productive conversations about these topics become the norm in your organization.
In this article, we reviewed the importance of communicating security topics. As you continue to progress as a cybersecurity professional, it is paramount that you have and lead discussions around cybersecurity topics with various stakeholder groups.