IT managers must learn to explain the business consequences of a system failing to senior management if they are to successfully secure funding for security as part of risk assesments, according to Gartner.
Gartner analysts Paul Proctor and Jeffrey Wheatman said IT professionals often overwhelm management by using technical jargon to explain where the problems are and how they should be solved. In the process, they fail to help their bosses see the larger risk to the business and the customers.
"If you go in there talking about Trojans, bots and SQL injection attacks, it is going to be nothing but Greek to management," said Wheatman. "IT security managers also will not get anywhere by talking down to the boss and telling them how they should run their business."
Proctor suggested IT pros take the time to learn what their bosses do and what they are thinking about on a daily basis, and understand the types of information they place a value on in their roles.
"The CEO wants to know what the impact will be on the business," said Proctor. "Ask what keeps them up at night and communicate the risks in that context."
Neil Dudleston, Group Information Security Officer at United Utilities, said that his department used over fifty measurements to measure the risks to the company's IT systems each month. But it was only until these were translated into terms senior management understood that progress was made.
"IT has to engage other parts of the business, such as marketing, to communicate how failures might effect operations. Information security risk language does not always translate into business language and this area that needs work," he said.
But management must also refine its language when talking to IT, especially on legal and compliance issues. David Lodge, global head of IT risk control at UBS, said that IT departments needed a better articulation of their legal obligations by the business.
"Legal departments need to better express that what IT should be doing to stay compliant when it comes to risk management and this has to be facilitated by senior management," said Lodge.