Risk assessment is all well and good, but IT officers are wasting their time if they can't explain the findings in a language their bosses can understand, Gartner analysts warned at the firm's 2007 IT Security Summit.
Gartner analysts Paul Proctor and Jeffrey Wheatman said IT professionals often overwhelm the top brass by using a lot of tech jargon to explain where the problems are and what needs to be done about it. In the process, they fail to help their bosses see the larger risk to the business and the customers.
"If you go in there talking about Trojans, bots and SQL injection attacks it's going to be nothing but Greek to management," Wheatman said. "IT security managers also won't get anywhere by talking down to the boss and telling them how they should run their business."
They suggested IT pros take the time to learn what their bosses do and what they're thinking about on a daily basis, and understand the value of information from their perspective.
It's also important to use numbers, models and other metrics to back up the findings, they said.
Wheatman said he learned the hard way how poor communication can keep necessary security improvements from happening. Before going to work for Gartner, he was hired to conduct a risk assessment for a small firm. He discovered security holes in the company's wireless set-up and described it to the owner using acronyms like WEP and various other words that didn't resonate. Eventually, he came back and explained it in simpler terms.
"I explained that their intellectual property could be stolen by someone using a laptop in the parking lot to access wireless transmissions," he said. "They got it and the problem was fixed."
As part of the presentation, Wheatman and Proctor had attendees answer a series of questions using hand-held devices. One question was whether attendees include their company's business people in the risk assessment process. Forty-six said yes, eight said no and 42 said sometimes. The numbers showed IT professionals are getting better at conducting their reviews, Proctor said.
"Three years ago the number of yeses would have been much lower, so we are getting somewhere," he said.
The analysts also asked the audience how often they conduct risk assessments. Forty-four said once a year, 33 said they do two to five times a year and 44 said they conduct assessments more than five times a year. Proctor said risk assessments must be done continuously, not just when an incident occurs or a regulation demands it. The process should include a consistent set of risk criteria, ratings and reporting format, and the results must be stored in a centralized location.
To deliver a report the top brass will find valuable, they also recommend:
- Learning how the marketing and sales departments operate and explaining risks from those perspectives;
- Participating in the business planning process;
- Working closely with business analysts to understand how systems are used; and
- Assessing risks with the business objective in mind.
"At the end of the day, the CEO wants to know what the impact will be on the business," Proctor said. "Ask what keeps them up at night" and communicate the risks in that context.