How to talk to your Board about security

PROBLEM

The gap between IT and management can often be a chasm.  Nerds can’t talk to suits. In the Dilbert cartoon, this leads to laughs; in real life it leads to frustration, ignorance, and poor organizational performance. Some of this gap is the nature of the security topic.  It’s difficult to discuss security events, which by definition are abstract, future, and highly uncertain, in a clear and concise manner. Many managers are highly quantitative and numbers-oriented, and security is not yet a quantified body of knowledge. The “curse of knowledge” frustrates any attempt to communicate specialized information, as your physicians can tell you – it’s difficult to talk about topics that you know well to an audience that knows little.

SOLUTION

There’s no one magic bullet – every message and audience is unique. But below are some tips to talk to any layer of management, all the way up to the board, about security.

  • Tell a story. Use narratives, rather than abstractions. Don’t say, “Application-layer vulnerabilities in our Internet-facing systems”, say “Chinese hackers breaking into our portal”. Where possible, reference past events for the story. “Remember from 2012, the hardware failure that took out the PACS? Imagine that for the main EMR”.
  • Use visuals wherever possible. The cliché about pictures being worth 1000 words is true. One well-crafted image can communicate more, and more quickly, than a wall of text. There are many books on the topic of visuals, but a good one is Slide: ology by Nancy Duarte.
  • Leave out irrelevant details. There’s a time for punctilious attention to every last thing, but communicating with management is not that time. Obviously don’t lie, as this hurts your creditability (among other consequences). But if six factors are in play, and one of them will drive 80% of the outcome, don’t mention the other five. Use appendices and supporting documents liberally, for those in your audience who want the gory details.
  • Many C-suites/boards/executive ranks have at least one member who has an interest in technology, in addition to his main function (it’s usually a him). Build a relationship with him and use him as a reviewer or editor, when it’s possible.
  • Don’t say the sky is falling. It usually isn’t, and you’ll hurt your creditability. Be honest about the uncertainty, and prepare a best, worst, and “in-between” scenario so that they can appreciate the range of outcomes. “We have old pipes over the data center. Best case, they burst over the store room, and no one will notice.  Worst-case, they burst over the main demarc, and we lose Internet connectivity”.
  • Distinguish between a compliance risk and a security risk. If your compliance people aren’t already doing this, point out the difference between a security risk, which can be managed many different ways, and a compliance risk, which is typically a box that must be checked.
  • Point to peers whenever possible. There’s safety (and information) in numbers. Comparing your state to your neighbors’ is powerfully persuasive. It also gives you an excuse to network.
  • Don’t boil the ocean. A common management complaint is that IT spending is very high, but the benefit is unclear. Offering a range of options, rather than the one perfect (and very expensive) solution, can give management a better sense of the costs and benefits of each of them.

IMPACT

Engaged, informed, active management can be a valuable ally in driving organizational change. Security is only partly a technology function, and no one’s better than a board at changing processes and people.