Straight talk for security pros

Communicating the importance of security risk and the need for related investment to those less familiar is no easy task, but industry experts agree there are a few techniques that you can follow as a CSO, CISO, or project manager to help get your point across and curry favor with other business leaders.

At the ongoing Source Boston 2008 conference, a panel made up executives, technologists and IT consultants debated the problems that emerge when security professionals head upstream looking for additional support or financing for their efforts.

Getting your point across about the threat of peer-to-peer botnets, server-side polymorphism, or Section 6 of the PCI Data Security Standard probably won't work if you rely on technical jargon and insider knowledge to tell your story, the presenters agreed. But if you explain things to people in terms they might understand or which directly impact their own business roles, your chances for success are far greater, the panelists said.

"I don't know the technical language and won't ever try to understand everything," said Reggie Sommer, who has previously served as the CFO at a handful of firms, including Netegrity, and who currently sits on the boards of several financial services companies.

"I think in terms of risk -- sometimes that's about dollars and sometimes it's about reputation, but you need to tell me, what's the real risk that could actually hurt the business? It's all about getting the language and communication right," she said.

Too often, security professionals forget that other business leaders don't follow emerging threats or compliance demands on a day-to-day basis and defer to language that means little to the average executive.

Selling your project or asking for more money is all about finding the right way to trace security issues back to traditional business operations and broader operational concerns, the experts advised.

In addition to gaining the budgetary and organizational support needed from CEOs and other executives to push ahead with your plans, it's also increasingly important to have business leaders contribute to the process of getting everyone else in your company to help make those efforts succeed.

"You can't go in talking about technologies. You need to quantify what the risks are; every business is run by policy and those policies need to come out of senior management," said Dennis Devlin, chief information security officer at Brandeis College and a former CISO at Thompson Corp.

"To succeed in this, we need to teach people to think how we think, and I spend a lot of time teaching people to make informed decisions about risk, which goes far beyond technology," said Devlin. "You look at something like [data loss prevention], and to make that truly work, it has to be a management directive."

Security consultants admit that even they struggle at times to convince business leaders how or why a problem must be solved. Executives often assume that security issues can be fixed by merely flipping a switch or installing a product rather than by trying to make fundamental changes to the manner in which they do business. Once again, the key to overcoming those hurdles is finding the right constituency to talk to and making sure that you understand their role to help get your point across, said Gene Meltser, lead technical architect at Symantec.