A geek’s guide to communicating cyber security risks

An Infosec 2014 presentation I attended this week entitled ‘One big threat to cyber security: IT Geeks can’t talk to management1’ provided some interesting advice about explaining the implications of cyber risks to the People At The Top.

We’ve all heard the research – and probably experienced first-hand – about how IT professionals communicate (or don’t).

According to the panel – which consisted of self-confessed ‘former geeks’ – when it comes to communicating cyber security risks, it is essential to avoid a scenario in which “either nothing or everything” reaches the top.  It is often a delicate juggling act, involving breaking down the information into the most relevant content, and in the right amounts (bite-sized is best). Learning to use PowerPoint and refining your presentation skills is one way of helping you to present complicated facts in a user-friendly manner.

Be persuasive

Once you have condensed the information into a manageable format, the trick is to transmit this information effectively.  “Using persuasion and emotion is much more important than volume,” said panelist Stephen Bonner.

Hearing that “translating upwards is YOUR job” was refreshing in an industry where geek-speak has become pervasive.  By asking yourself “What does this actually mean?” when trying to explain the risks can help you to communicate something otherwise meaningless to the board.  An effective (and obvious, but trickier) manner of doing this is to turn risk information into a financial measure.

It’s all about the money

Explain the financial impact and not the quantity or detail of the risks, they say.  First, tell your board what they want to have happen (optimal use of business resources, sustained growth within budget), and then tell them what they want to avoid (embarrassing data breaches, expensive penalties).  Then simplify.  The key is to think ‘executive summary’, and ‘red versus green’.

Sometimes, other roles in the organisation can help you to translate the technical jargon into practical content, such as those in legal positions who are trained to understand and communicate business risks.  Meeting with other non-IT teams to understand how they convey their risks can also be useful.

Some final parting words of advice:

  1. Don’t make them learn your craft.
  2. Read company reports to understand what your business does.
  3. Know why the business should care about the risks.
  4. Explain what your jargon means.

Vigilant Software, a partner of IT Governance, this week introduced a host of added features to vsRisk™, its industry-leading cyber security risk assessment software,  which provides a simple and easy-to-use framework for conducting risk assessments and delivering audit-ready reports.  Now including the ability to assess the cyber risks across multiple departments, locations and ISMSs, vsRisk is suitable for large companies, small businesses and consultants alike.  By providing populated control sets, a database of potential risks, and the process to help you get there, vsRisk simplifies the risk assessment and helps you to get the job done quickly, enabling you to produce reports that will be meaningful to the C-suite while helping your company to save time, resources and money.

vsRisk is offered in Standalone, Network-enabled and Multi-user versions with multiple ISMS add-on options and 12-month support and upgrade licences available.

1The panel was presented by Dwayne Melancon (CTO: Tripwire), Stephen Bonner (Partner: KPMG) and Thom Langford (Director, Global Security Office: Sapient).