An important part of an information security professional’s job is communicating risk. Clear, concise communication that leadership can understand and act upon is the heart of a risk management system. The challenge is that many IT risk scenarios appear abstract, vague, or irrelevant to colleagues working outside of InfoSec. Consider a common interaction that might look something like this:
CISO to Leadership: “We need $50,000 for a DDoS solution because there is a medium-high risk of an impacting event that could affect the customer wireframe sites.”
Leadership: “What do you mean?”
CISO: “Well, a DDOS attack could degrade reputation and brand identity.”
Leadership: “Okay, but…how much?”
CISO: “Well, results vary, but we believe there is a significant likelihood of this happening with potential high impacts.”
Leadership: “Yeah, sure. We’ll be fine…”
When security professionals do not communicate what’s needed in clear terms that business leadership can understand, the message lands like vapor against a brick wall. Listeners tend to believe the specific while discounting the vague, and statements like “medium-high risk” or “high impact” are vague, unquantifiable terms that leadership can’t base decisions upon. “We need to spend $50,000,” while specific, is heard as just another expense item rather than a tangible way to reduce risk.
So how do we change our approach to get the results we want? Some security professionals try to substitute “high risk” statements with quantifiable dollar amounts. But this can be difficult for most of us since we seldom have hard numbers attached to our risk statements.
An alternative approach is to pivot and change the context. In other words, connect the conversation to topics leadership cares about that have easy-to-measure metrics. For example, most organizations consider operational efficiency as high value, so availability (of the CIA triad) is a good place to start.
Here’s the same scenario presented to business leadership using an entirely different approach:
A data center supports a team of a hundred or so user web interface designers, most of whom work remote via VPN. The data center has many servers, but they have no confidential data whatsoever, only mockups of customer websites. Therefore, the servers have minimal security controls: a basic firewall and some antivirus on the servers, and not much else. Based on that, a DDoS threat to this environment would be considered medium-low risk. But, through an operational resilience lens, the threat of a DDoS attack would mean that a large team of billable resources could not work. As a result, the attack could end up costing tens of thousands of dollars of lost revenue (100 consultants * $150 an hour = $15K per hour). Now we have something concrete to discuss with business leadership in regard to whether a DDoS protection solution is worth the cost.
There are many sources of hard data that we can use to translate InfoSec risk into dollars of operational risk. These includes service level agreements, contractual penalties, revenue per division, recovery time costs, and penalties from audit failures. Raiding the Business Impact Analysis of the Business Continuity plan is also a great place to find these metrics.
A global restaurant chain recently embraced this approach. They reorganized their security team under IT operations. Now they treat IT security risks as operational risks that affect well-understood metrics like service quality, staff productivity, and data availability. Yes, getting your network sandbagged with ransomware is a high risk with high impacts. The downtime is also going to cost your company $5,000 per minute due to lost sales because the point-of-sale terminals are toast.
By pivoting the risk discussion to focus on tangible operational impacts, the business leadership who needs to care will hear and understand your message. The only caveat? If successful, you may have a new problem: leadership will now want you to fix these problems ASAP. Now that you’ve got leadership listening to the problems, hopefully you are ready with solutions.