Friday, March 28, 2014

Communicating Risk to Executive Leadership -Common problem with security folks.



The article starts with the following

“I don’t get it!” said the CEO as he dropped the 300 page report on the conference table.

Our reports may not be 300 pages but our inability to speake the executive language is the issue.


According to the article:- 

Common complaints (from them) we heard, included:


  • “Why does it take so long? “
  • “I thought we had security controls in place to take care of this stuff?”
  • “How do we fix these problems?”
  • “What do these risk numbers mean? Are we in danger or not?”
  • “This is just busywork to keep the regulators happy.”



Challenges with current risk management techniques.

Challenge 1 – Difficult in Assigning Value
Challenge 2 – Risk and Security Language is Incomprehensible to Leadership
Challenge 3 – Numbers Can Deceive
Challenge 4 – Risk Data Gets Stale Quickly



Solutions:

Talk Like an Executive
Use Emotional Words Sparingly
Deliver Intelligence, Not Data
Communicate in the Now


How to Improve the Risk Conversation:

Step 1 – Agree on Six Words (Threat, Vulnerability,Control,Impact,Probability,Risk)
Step 2 – Establish a Lens (A lens is way to break-down a larger whole into manageable chunks)
Step 3- Express Security Issues in Terms of Threat
Step 4 – Get Data, Put it in the Backseat
Step 5 – Simplify Impact and Probability
Step 6 – Embrace Simplicity and Brevity in Reporting



The link below has more information:-

http://blog.anitian.com/communicate-risk-to-executives/

No comments:

Post a Comment