Saturday, May 25, 2013

Communicating with Execs on InfoSec

As I sit here, drink my coffee, and worry about the troubles of the world, I came across this DarkReading post on Security Pros failing in Business Lingo.  It is an interesting read but nothing ground breaking.  The argument has been around for a while now that much of senior management rarely has any idea of what we are talking about.  We are finally seeing more of us making their way to that table.  Those that do are usually well versed in the business speak.  I would agree that all Security pros should be familiar with out to explain why technical vulnerabilities affect business.  In smaller shops you may not have that C-level representation so you would need to double has the highly skilled security engineer and the CISO/CSO.  But in the larger environments, there really needs to be some tiers in place.  Your skilled staff should worry about the job/mission while their management can translate their activities/needs to the execs.

An engineer is an engineer regardless if they are building a new jet propulsion system or developing a new architecture to store that system's critical data.  People like your incident responders, security architects, penetration testers and such are (hopefully) highly skilled individuals who know their craft inside and out.  They spend their days learning about the newest attack methods and how to detect/defend against them.  They are engineers and scientists of the IT world.  They are not that different from your network/systems engineers who build the infrastructure.  I'm not saying they can't be bothered with talking to execs, but they really shouldn't be focusing on that.  They should be able to provide data to their management so they can communicate it up the chain.  Let them do what they are good at and everyone will be happy.  At times though, the engineers may need to step up and speak directly to management.  At that point, the security execs/managers should be supportive and help get the right "Lingo" into that presentation.

As a consultant, it is a different story.  You need to be able to play both sides as you are typically selling your service to non-technical people.  You need to understand what keeps them up at night and address that.  If you cater to SMBs, you will most likely be talking to the President/CEO of the company.  They will most likely not know about things like "Firewalls" or "SQL Injection" and what types of risk they pose to their company.  So things like "getting shell on your webserver" will need to be explained in different terms;  for example, "Your web server that hosts <insert app name here> is vulnerable to a number of attacks that will lead to a compromise of your customers data.  This data can then be downloaded and used to carry out a number of computer fraud crimes.  Since this data contains SSNs and other Personally Identifiable Information, you can be held accountable and possibly fined a significant amount by the federal government."  Make sure you include numbers on the possible fines because in some cases, if the business is small enough, that one fine can end them.  I would site similar numbers if I found a prospect that was out of compliance with Microsoft licenses.  That was something like $100K per incident.  Tell that to a company who doesn't want to "waste" money on a $1500 license pack and they change their tune.

So I guess to wrap this up...  This is going to be ever-present as you will always need highly skilled individuals who know how to figure out the problems and fix them.  The types that you throw a rubik's cube in front of and they will relentlessly work it until they achieve their goal.  You will have the researchers who continually take a part hardware/software to see how it ticks.  These guys are the scientists of technology and they need to spend their days doing this type of work.  Eventually one will rise out of the lab, that person will realize they are better fit to help the cause from a managerial post.  They will work to attain the skills to better work with the executives, but will retain the knowledge to continue communicating with the engineers and architects.

As always feel free to leave your comments, do you agree or disagree?