The Public Eye


Keeping tabs on federal government efforts to protect citizens' privacy

Communicating True Value of IT Security Getting the Non-IT Boss to Understand Info Security Metrics
Communicating True Value of IT Security

A major challenge continuing to confront IT security professionals is helping their bosses who aren't technology experts, including the CEO, to understand the value of information security.

Simply, IT security pros see metrics as a useful tool to validate operational performance. That's not necessarily the case with many organizations' top leaders, many of whom evaluate security based solely on cost.

That's a main finding of a new study the Ponemon Institute conducted for Tripwire, a risk management software company.

Neither the metrics- nor cost-based approach "is well adapted to communicating the effectiveness of risk-based security programs," the authors of the study write in a new report, The State of Risk-Based Security Management.

The authors say this disconnect demonstrates the escalating value of communication skills in senior IT security roles. "As business leaders are required to disclose more about their organization's security risks," they write, "those business-oriented security executives with good communication skills will be in even greater demand.

Ponemon based its findings on interviews with 749 American and 571 British IT and security professionals. It found that about half of the respondents, when rating their own effectiveness in communicating all relevant facts about the state of security risks to senior executives, say they are not effective.

On the Hook

More than half of the IT and security folks contend that the security metrics collected in their organizations are too technical to be understood by senior leadership.

Really? Is that an explanation or an excuse? True, technology complicates IT security, but that shouldn't get security pros off the hook from figuring out how best to explain the complexity. It's part of their job.

"Every group within an organization should be structured and led to be able to explain its operation and status to both C-level [executives] and the board of directors, if necessary," says Eugene Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security.

"That is the job of a competent manager. If the metrics don't present a useful picture, then something else should be used," Spafford says.

Ask any IT and security leader what's the most valuable skill needed to succeed and they'll answer the ability to communicate. With the cyberthreat at an all-time high, there's no better time for tech and security professionals to figure out how best to communicate to their non-tech bosses the true value of IT security.

After all, IT exists to support the business function and security helps create the environment for the business to operate safely.

"If IT security people take the attitude that their domain is too complex for the leaders to understand, or that they should make all the important decisions on their own," Spafford says, "then they are out of alignment with the way the business is supposed to function."

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Around the Network