IT Risk Management Master Class

How Information Security Professionals Can Better Communicate Risks to the Board

Ash Hunt

Communication is one of the most frequently discussed topics in technology and information security, but it's one of the most poorly executed skills. The origins of this issue are clear — in a profession steadfastly devoted to technical skill, certifications and tenure, the critical skills of corporate and strategic communication have received scant mention in CISSP, CISM and any MSC in Information Security.

Notwithstanding, development handrails on this matter are scant, leading to a constant struggle — how to speak the board’s language. As security professionals, we aim to communicate effectively for one reason: to secure budget. Yet, CVSS (vulnerability) scores and TTPs (tactics, techniques and procedures) of attackers fail to make a persuasive case for ExCo, NEDs, VCs or PLC boards; none will exchange cash for technobabble that they cannot correlate to business value.

Unfortunately, effective communication is perceived by many across the profession as a secondary consideration, rather than fundamental to securing much-needed funds. Security leaders must be able to exercise persuasive influence if they wish to move boards to open the coffers.  

It's worth noting that every other established corporate function maintains reporting requirements that are correlated directly to business value and growth targets. But technology and security have shirked this responsibility for decades as the cost center perception took root.

With increased budget scrutiny, guidance on how to communicate technical complexities in a common language is desperately sought. Fortunately, the answers are straightforward, well-versed, tried and tested.  

Why Technology and InfoSec Leaders Should Invest in Communication Skills

The fundamental role of CISOs and security leaders is to support the business in revenue generation and growth  a more apt role title would be "revenue enablement officers." They don’t exist to block by default; all businesses have requirements underpinning strategic objectives.

In achieving an objective, the business will invariably incur loss (due to operational inefficiencies, control deficiencies, unforeseen technical requirements and so on). Security, and wider technology, exist to support the business in reducing this loss, typically through controls.

Controls have an associated cost, which, in a direct sense, consumes budget resources; but budget consumption is an investment, not an arbitrary cost, that increases the success rate of business objectives. As loss exposure is reduced, business opportunities increase. This trade-off between cost and opportunity is inherently understood by boards. 

Technology and security professionals need to realign with this expectation and leverage mechanisms that can articulate potential loss, including how probable that loss is for a given scenario. Moreover, they should view budget expenditure through the lens of control activity and associated costs. This ensures the accurate measurement of both security improvement and investment return.

Speak a Common Language to Access Better Business Opportunities

Communicating in a common language (financial-based terminology) also assists technology and security leaders in meeting diverse reporting requirements. For example, loss profiles and ROI analysis should be communicated differently to executive committees than a representation of risk to auditors or regulators.

However, articulating security in business terms means full transparency, and many security professionals are reluctant to reveal the extent of financial loss exposure to audiences who are unfamiliar with the vast technical complexities driving these vulnerabilities. This is where the science of analysis meets the art of communication — in understanding the motives of your target audience and what is required of them.

High-frequency engagement with key business stakeholders is critical to supporting effective board and ROI communication. The more time technology and security leaders invest in working with the Board to understand their objectives, the easier it is to build alignment between technical initiatives and their effect on business outcomes, positioning technology as a contributing — and not consuming — function.

For in-depth frameworks and tools that can help your organization develop a risk model to reduce the challenges of unmeasured uncertainty, download the Diligent IT Risk Management Master Class Toolkit.


Ash Hunt

Ash Hunt

Ash Hunt is a global CISO, international keynote speaker and frequent board advisor with a decade of experience in complex, multinational environments. He has worked extensively across UK government departments, FTSE/FORBES organizations and Critical National Infrastructure (CNI), in addition to authoring the UK’s first quantitative framework and actuarial model for information risk. He has also served as a media commentator for Sky News and ITV on cyber security issues.