3 Ways To Get Executives To Listen About Risk

The C-suite cant make informed decisions about IT security risks that they dont truly understand -- heres how to better communicate what they need to hear

Communication skills are some of the most important within a IT risk managers tool kit. Thats because if threats cant be conveyed to a business upper-level management, its going to be awfully hard to convince said managers to loosen the purse strings. But one shouldnt rely on choice turns of phrase or smooth talking alone to successfully communicate risks. Theres also a lot of underlying homework and a fundamental attitudinal shift that needs to occur for the message to resonate with the C-suite. Here are three important tips in achieving that goal.
[Hackers fixate on SQL injections -- CSOs, not so much. See
The SQL Injection Disconnection
.]
1. Insert ROI Into The Equation
Quantifying return on investment from security spend remains one of the long-lamented challenges in the IT security industry. Some continue to wonder how you can put a valuation on something that never happens. But that valuation does exist, says Joe Fisher, president of Affinity IT Security.
The value of avoiding negative consequences is both real and quantifiable, Fisher says. The ROI calculation must recognize and account for the value of avoiding the full scope of economic damages that can result from a breach.
If you need a little help, start by grabbing a newspaper and looking for evidence of public details about consequences other companies have had to pay for past breaches.
To help justify purchases, security departments can cite examples of data breaches and what those consequences were: regulatory penalties, decline of company reputation, job loss -- including at C-level, and identity theft leading to monetary loss, says Michelle Head, technical consultant with the security practice at Force 3.
But dont just come to the boardroom with newspaper clippings. Convert some of those public numbers into what it would translate to economically for your company should a similar asset be breached. And do some digging for other costs that may not be included in the news.
Fisher recommends that an ROI estimate should account for at least six variables: the cost associated with forensic analysis to determine the scope of the breach, the cost to remediate and re-establish a secure environment, the cost to prevent future repeats of the same attack, the legal costs of a breach, the loss of revenue due to the breach, and the potential damage to the stock price following a breach.
The costs of each of these can be estimated and should be aggregated to form a comprehensive assessment of potential damage, Fisher says. This can then be discounted by the likelihood of the breach occurring to arrive at a risk adjusted damage estimate.
2. Come Ready With Threats Prioritized Against Business Objectives
Simply stepping into the CEOs office and stating that there are 10,000 vulnerabilities in the companys application portfolio or that there were 22 incidents last year stemming from uneducated users doesnt necessarily get you any closer to communicating the risks.
Risk conversations that consist of a laundry list of vulnerabilities in IT infrastructure or network threats may raise concern that wont necessarily educate executives well enough for them to make decisions about which risks to accept or mitigate.
The point is managing risk to business performance objectives, says Brian Barnier of ValueBridge Advisors. Think about how many Olympic athletes wished they better avoided injuries or took a greater risk to score a point.
CEOs respond well to numbers -- but only when theyre framed around what those numbers mean in relation to business objectives and the bottom line. This framing starts first by making sure that the words youre using are from a business lexicon, not techno dictionary.
Anything really technical we tend to flub because we walk into the CEOs office and start spouting acronyms, says Mike Murray, managing partner for consulting firm MAD Security. And we expect that person to take that and translate it to business speak in their head without realizing that its our job to translate it for them in a way they understand.
Similarly, the numbers need to be converted into dollars-and-cents impact. This means performing a quantitative analysis of how much past threats cost the business, how likely they are to occur again, how much itll cost to prevent each of them in the future, and given an expected budget estimate, where the cash infusions should go first. Its also key to include potential impact on revenue should the risk be accepted and the worst occurs.
There are simply too many issues to be fixed, and no company can address them all. What we often do not see is a prioritized list of which holes to fix based on a quantitative analysis, says Naeem Zafar, president and CEO of Bitzer Mobile. If an IT organization can only fix three issues, they are likely to be the ones that cause the most harm or provide the best return for the organization. CIOs should play a strategic role by addressing these issues based on quantitative analysis.
3. Let Executives Accept Some Risks
As the proverbial goalkeepers in front of the net, it may be difficult for security executives to accept situations that make it easier for the ball to cross the goal line. The instinct is to keep the sheet clean and aim for never letting a security incident sully the record.
But the fact of the matter is that the game isnt really won based on how many times the bad guys score a hit off of your infrastructure. Its based on how much money the company makes and the financial impact that threats will make against that profit. Keeping that in mind, it will make sense for line-of-business executives to accept some risks if the medicine is worse than the cure.
The truth is security is all about levels -- the level of pain you want to make a would-be hacker go through vs. the level of disruption you can have on your workforce, says Ken Tola, CEO of IP Ghoster.
IT security professionals who can offer a quantitative risk assessment and are prepared to let their executives accept risks based on that assessment are going to gain a lot more respect and, consequently, more budget to deal with high-priority risks than the ones who insist no risk remain unremediated.
The ultimate goal is to determine your organizations appetite for risk and to facilitate the cultural move from a zero-risk mentality to a risk-resilient mentality, says Bryan Fite, BT Assure portfolio manager for U.S. and Canada at BT Global Services.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
3 Ways To Get Executives To Listen About Risk