Tips for Security Leaders on Communicating with the Business

It’s no secret that a communication gap exists between security leaders and the business — and it’s time security leaders did something about it. An inability to articulate the value of the security organization’s efforts and justify expenditures not only impacts the security leader’s credibility, it also impacts the overall effectiveness of the security organization’s efforts and, in turn, the enterprise’s security posture. In short, to do your job well, you must learn to communicate with the business. To that end, here are five tips for improving your communication skills.

#1: Ditch the technical jargon.
The truth of the matter is that business leaders aren’t going to learn to speak your language. You must learn to speak theirs. This means changing what you talk about and how you talk about it. For example, instead of talking about threats, talk about the risk associated with those threats in terms the business understands. Using their language assures business leaders that you share the same focus — the success of the business.

#2: Get the appropriate training.
Ditching the technical jargon can be easier said than done. Many security leaders move up the ranks through various technical roles, so they think and speak in technical terms. They also seldom receive training in business communications. However, if you want to be a successful leader, you must make the effort to develop communication, presentation and facilitation skills. The importance of these skills is underscored by the fact that Gartner advises enterprises to recruit security and risk management leaders with business backgrounds and experience rather than strictly technical expertise. If you lack these skills, instead of earning another security certification, consider taking a class in business writing or presentation, or even a postgraduate business course.

#3: Use the little time you have wisely.
Just like you, business leaders are busy. Combine this with the fact that security is not their primary concern, and you understand why getting any time with business leaders is difficult. When you do have their attention, you need to use it wisely to ensure that business leaders hear your message and that they’ll be willing to meet with you again in the future.

Use the time you have with business leaders to demonstrate the value of a proposed or current project, and tie your message to a business goal. Make this connection clear early on in your presentation, along with why they should care. Finally, make your presentation concise, but be willing to answer questions and provide additional support for your message if it’s requested.

#4: Learn to translate business-speak.
Business leaders care about different issues depending on their rank and department. To make matters more complicated, they don’t always do a good job of articulating those concerns. It’s up to the security leader to understand each business unit’s goals and initiatives, and to work with business leaders to identify risks and determine confidentiality, integrity and availability protection needs. But first you have to get their attention and show them that you support their goals. Once you do this, it’ll be easier to get a discussion going about how you can help them achieve those goals while minimizing risks.

#5: Understand the business’ risk appetite.
Do you have a good grasp of your business’ risk tolerance? More importantly, do business leaders understand their risk tolerance? In order for security leaders to put effective and appropriate security controls in place, they must understand the business’ appetite for risk.

To this end, security professionals should assess the enterprise’s risk profile as well as its current state of information security risk maturity. These assessments and the management and communication of risk should be conducted using existing frameworks or models. This will allow everyone involved to focus on the subject of the discussion as opposed to the terminology or framework itself. Also, when possible, use scenarios or stories to convey the impact of risk. Quantitative risk assessments can be difficult to substantiate and don’t always have an impact on the audience.

Learning to communicate with the business is crucial for security leaders. While these skills may not come easily, they are absolutely necessary for security leaders to achieve their goal, which is ultimately to reduce and manage risk.