IT managers must learn to explain the business
consequences of a system failing to senior management if they are
to successfully secure funding for security as part of risk
assesments, according to Gartner.
Gartner analysts Paul Proctor and Jeffrey Wheatman said
IT professionals often overwhelm management by using technical
jargon to explain where the problems are and how they should be
solved. In the process, they fail to help their bosses see the
larger risk to the business and the customers.
"If you go in there talking about
Trojans, bots and SQL injection attacks, it is going to be
nothing but Greek to management," said Wheatman. "IT security
managers also will not get anywhere by talking down to the boss and
telling them how they should run their business."
Proctor suggested IT pros take the time to learn what their
bosses do and what they are thinking about on a daily basis, and
understand the types of information they place a value on in their
roles.
"The CEO wants to know what the impact will be on the business,"
said Proctor. "Ask what keeps them up at night and communicate the
risks in that context."
Neil Dudleston, Group Information Security Officer at United
Utilities, said that his department used over fifty measurements to
measure the risks to the company's IT systems each month. But it
was only until these were translated into terms senior management
understood that progress was made.
"IT has to engage other parts of the business, such as
marketing, to communicate how failures might effect operations.
Information security risk language does not always
translate into business language and this area that needs
work," he said.
But management must also refine its language when talking to IT,
especially on legal and compliance issues. David Lodge, global head
of IT risk control at UBS, said that IT departments needed a better
articulation of their legal obligations by the business.
"Legal departments need to better express that what IT should be
doing to stay compliant when it comes to risk management and this
has to be facilitated by senior management," said Lodge.