Straight talk for security pros

At the Source Boston 2008 conference, security professionals debated the best way to communicate security needs and handle upstream problems that may emerge

Communicating the importance of security risk and the need for related investment to those less familiar is no easy task, but industry experts agree there are a few techniques that you can follow as a CSO, CISO, or project manager to help get your point across and curry favor with other business leaders.

At the ongoing Source Boston 2008 conference, a panel made up executives, technologists and IT consultants debated the problems that emerge when security professionals head upstream looking for additional support or financing for their efforts.

Getting your point across about the threat of peer-to-peer botnets, server-side polymorphism, or Section 6 of the PCI Data Security Standard probably won't work if you rely on technical jargon and insider knowledge to tell your story, the presenters agreed. But if you explain things to people in terms they might understand or which directly impact their own business roles, your chances for success are far greater, the panelists said.

"I don't know the technical language and won't ever try to understand everything," said Reggie Sommer, who has previously served as the CFO at a handful of firms, including Netegrity, and who currently sits on the boards of several financial services companies.

"I think in terms of risk -- sometimes that's about dollars and sometimes it's about reputation, but you need to tell me, what's the real risk that could actually hurt the business? It's all about getting the language and communication right," she said.

Too often, security professionals forget that other business leaders don't follow emerging threats or compliance demands on a day-to-day basis and defer to language that means little to the average executive.

Selling your project or asking for more money is all about finding the right way to trace security issues back to traditional business operations and broader operational concerns, the experts advised.

In addition to gaining the budgetary and organizational support needed from CEOs and other executives to push ahead with your plans, it's also increasingly important to have business leaders contribute to the process of getting everyone else in your company to help make those efforts succeed.

"You can't go in talking about technologies. You need to quantify what the risks are; every business is run by policy and those policies need to come out of senior management," said Dennis Devlin, chief information security officer at Brandeis College and a former CISO at Thompson Corp.

"To succeed in this, we need to teach people to think how we think, and I spend a lot of time teaching people to make informed decisions about risk, which goes far beyond technology," said Devlin. "You look at something like [data loss prevention], and to make that truly work, it has to be a management directive."

Security consultants admit that even they struggle at times to convince business leaders how or why a problem must be solved. Executives often assume that security issues can be fixed by merely flipping a switch or installing a product rather than by trying to make fundamental changes to the manner in which they do business. Once again, the key to overcoming those hurdles is finding the right constituency to talk to and making sure that you understand their role to help get your point across, said Gene Meltser, lead technical architect at Symantec.

"As a consultant, I see a lot of companies with serious security problems, but these are things that they cannot change organically; we can tell them all the things they need to do, but that process is often dramatically complex," Meltser said. "These companies are typically bound by regulations and issues of corporate culture such that any change can't happen overnight; but your message has to be packaged correctly and delivered to the people most receptive to change."

In his experience, the security expert said the best approach to that challenge is to break larger projects down into smaller components that can be achieved incrementally over shorter period of time.

Ultimately, the most significant point of disconnect between security pros and the business people they work with is the struggle to balance issues of protection and compliance with efforts aimed at growing sales and revenue, which the panelists characterized as a near constant "tug-of-war."

No matter how dangerous it is to launch a business application based on related security concerns, corporate leaders often are willing to accept the risk if it is a tool that they feel will significantly boost their larger corporate interests.

Even when executives are willing to joke that the term ROI, which has traditionally stood for "return-on-investment," has changed to "risk of incarceration," based on all the new security and privacy regulations being aimed at businesses today, many are still willing to stomach major risks to meet their objectives, the panelists said.

"Being in an e-commerce start-up today, we are literally living this tug-of-war," said John Amaral, chief architect at Retail Convergence. "I joke about the risk of incarceration with our executives whenever we pass each other in the hall, but at the same time, we all know that we need to get features and functions out the door to get customers to the site."

The PCI DSS mandate -- developed by the world's largest credit card companies to punish firms that leak consumer information -- has to be referenced in nearly every IT-related decision that the e-commerce startup makes. However, the company can't get bogged down in trying to meet all of the requirement's demands to the extent that it cannot grow its core business, the expert said.

"With PCI, customer data security is a very important consideration and our executive team understands the risk, but they also need to see the rewards," Amaral said. "Sometimes we ask for more time to do something and they don't want to wait, they want to get customers to the site; while most executive teams support [IT] putting security measures in place, they also need to hold onto the bottom line."