Posted by Tony Abou-Assaleh on July 16th, 2013

How Do You Communicate with Management About Cybersecurity?

Quartz shared a study this week on a pressing issue in the cybersecurity space – the inability of IT employees to communicate effectively with management. The latest study in a series conducted by Tripwire and the Ponemon Institute is titled “Are Security Metrics too Complicated for Management.” Over 1,300 IT professionals and those involved in business operations, risk management and compliance were surveyed and shared their opinions on the issues plaguing the industry.

What’s the cause of all these communication issues? The study revealed that one of the biggest issues is that in many cases the information is too technical to be shared with those outside of the IT space. While IT and online security teams are not alone when it comes to the snares of profession-based jargon, this is a real problem that can jeopardize the security of organizations big and small. Other responses indicate that:

  • Executives are only privy to information if there is an actual incident;
  • It takes too much time and resources to report security metrics;
  • A startling 18% said that they believe management doesn’t care.

This is a troubling phenomenon. Cybersecurity is in many cases an organizational effort that requires executive buy-in. Employees of all levels have to respect the threats presented to their organization, and understand the role they can play in protecting the business – even if it’s something as small and simple as being mindful when downloading email attachments.

Having difficult communicating with your executive and convincing others of the importance of cybersecurity? Here are some suggestions to start the dialogue:

  1. Use everyday language. Every industry has their own specific jargon that doesn’t always make sense to those not working in the same sector. Whenever possible use terms that are understandable to all audiences. If that’s not possible, ensure you give clear definitions of any potentially unfamiliar terms.
  2. Make sharing a routine. If compiling large reports at the end of every quarter is tedious and time consuming, consider breaking them down and sharing information weekly. Consistent reporting and monitoring means that when it’s time to compile everything you’ve already got the data at your fingertips.
  3. Share your knowledge. There are lots of reasons people choose to not be invested in a topic. Often it’s because they aren’t really educated on it. If you want cybersecurity buy-in, you might have to put in the leg work to get executives and co-workers alike understanding just why it’s so important for your business. Share news articles on companies who are doing a great job at protecting themselves as well as information on the increasing threats of online attacks and how they could impact your business. If applicable, consider holding town halls or informal lunch and learns on cybersecurity and your business.

 
Are you an IT expert who successfully conveys cybersecurity issues with management? Let us know in the comments below.