People in IT leadership roles, including CIOs and CISOs, typically only have five to eight minutes of time to present in Board of Director meetings, according to the latest research from the IT Policy Compliance Group. How CISOs use this time will often determine if they get the resources they need to effectively manage IT risk.
Adding to this pressure on CISOs is the fact that their boards are more attuned to security issues than ever before. Recent data from Forrester Research notes that 70% of security decision makers report increased executive awareness of IT security as a result of high profile attacks and breaches. So now, in less than 10 minutes, CISOs need to manage interactions with the board to focus on the most critical issues while avoiding distractions from what senior executives may have read about or heard regarding cyber-attacks. As a security leader, how do you maintain their focus on the issues that matter, and walk away from the board meeting with the resources or approvals you need to manage IT risk for the organization?
The simple answer is this: speak in business terms, not technical jargon. Unfortunately, only 12% of organizations view this as currently happening – a recent survey by the Information Risk Executive Council illustrates that only 1-in-8 best performing organizations feel Info Sec can effectively influence business decisions. These CISOs are communicating IT risk through a business lens and can sit down with other C-level executives and business unit leaders to talk about how IT risk is impacting their business. To date very few organizations have yet reached this level of maturity.
The good news, however, is that most security leaders recognize that changes to their IT risk management program will positively impact their relationship with business counterparts. Nearly half of respondents (47%) to a Symantec commissioned survey by Forrester said that improvements in their ability to communicate the value of security and risk management in business terms would have the most impact on their relationship with business counterparts, while over 40% called out the need for more timely and accurate data, or more frequent reporting of risk and compliance.
Know your business risk
A new IT Policy Compliance Group report, “Data Driven Reporting and Communications about IT: Better Results, Less Risk”, also echoes what security leaders told Forrester. This report offers some pointed findings around what best performing organizations are doing differently to communicate and report about IT, allowing senior managers to take action.
The best performing organizations do a number of things that set them apart. They communicate what the IT risks mean in business terms to a wide range of stakeholders. They gather more information about risk from the environment, including from their people and systems, and collect this information more frequently than others in an automated manner. These organizations use dashboards and scorecards to communicate the business context to different stakeholders, and customize reports for each audience. Most importantly, their dashboards focus on communicating the business impact of IT risk. For instance, the data they show might summarize the risk to a business process, rather than highlight a technical issue on a server in the datacenter. With these approaches, they can garner more attention, drive more action amongst stakeholders and make a better case for additional security investments.
When you consider that only one organization in ten uses data-driven reporting and communications, there’s clearly room for improvement among the other 90%. Whatever your approach is to reporting information about the business risks of using IT, most organizations can and should increase the relevance of IT to non-IT stakeholders. Adopting the practices of best performers is one place to start.
Translate business risk
It’s critical that CISOs communicate IT risks in business context if they are to drive accountability and action amongst business stakeholders. Today Symantec announced a better way to communicate IT risk in business terms. The latest version of our IT governance, risk and compliance (IT-GRC) solution features the new Control Compliance Suite Risk Manager module. Risk Manager will enable security leaders to represent technical issues in the form of risks relevant to business processes, deliver customized views of IT risk for different stakeholders, and help prioritize remediation efforts based on business criticality rather than technical severity.
Would you welcome a streamlined way to communicate IT risk to your execs in business terms and secure more security budget? I look forward to your comments.Tags: compliance, IT GRC, IT risk management, Symantec