Many organizations struggle with getting executives on board with IT security. Here are some ways improved communication can help.
As we recently wrote, there are some important low-cost ways companies can help reduce the threat of data breaches and other security attacks.
One of the other top things IT can do to get management — and by extension, the company as a whole — on board with improving information security:
Get better at talking about security.
A recent study from PwC and CSO Magazine found that many IT departments aren’t sharing a lot of valuable security information with the organization. As a result:
- 22% of business execs didn’t know how their losses related to cyber crime over the past 12 months compared to previous years
- 21% weren’t sure which types of cyber security threats posed the greatest risks for their organization, and
- 17% were unable to list all of the cyber crimes that affected their business over the past 12 months.
Even when security information is shared with business units, those who receive it often don’t understand or put it to use, according to a new survey from the Ponemon Institute and Tripwire.
The poll of 1,321 IT workers found that their communication with senior executives often gets lost in translation. That means, for many companies, decision makers are failing to allocate resources to where they’re most needed.
And if execs don’t understand security, it’s hard to get them on board with efforts to improve awareness and behavior, which is critical for getting through to all users.
Here are some of the reasons security information often isn’t communicated properly — and what IT can do about it:
The information isn’t clear
One of the biggest reasons for the disconnect is simply that a lot of the information provided by IT is difficult for people in other areas to understand.
In fact, 61% of the IT pros surveyed by Ponemon said the security data they have to present is too technical for non-IT leaders to understand.
However, it’s critical that execs receive and understand that information. Some ways to help:
- Don’t get bogged down in all the unnecessary technical details. Filter out everything except for what’s relevant to the decision maker’s role.
- When technical information is required, use analogies to make the explanation simpler.
- Make communication regular. Close to half (40%) of respondents only communicate with management after there’s a security incident. However, delivering data on a scheduled basis will make it clear it’s something executives need to have.
Executives don’t care
In addition to failing to understand security information, many IT pros feel that executives are indifferent about hearing that data.
Close to half (48%) say information isn’t delivered because other issues take precedent, while 18% say executives aren’t interested in learning about security risks.
However, it’s IT’s job to make executives care about security. One of the reasons interest is low is that the data isn’t chosen or presented in the right way.
When asked if their security communications were in line with the company’s objectives, 53% of IT pros said no or that they weren’t sure.
IT must be clear about what those objectives are and deliver the data accordingly.
IT leadership isn’t involved
Another common reason security information often gets ignored: It comes from employees too low in the organization.
That problem was cited by close to 60% of the respondents surveyed by Ponemon.
Executives and other decision makers are more likely to listen other leaders within the organization. Therefore, it helps if the communication comes from the most senior IT person in the company, whether that’s the CIO, IT manager, or someone else.
Also, for companies with large enough IT departments, having someone with a title of CISO (Chief Information Security Officer) can help.
Not only is someone in that position good for spreading security information, it’s also useful to have one person who’s held accountable for all security matters within the organization.