Study: Infosec underestimates the importance of business communication

According to a recent study done by PricewaterhouseCoopers and (ISC)2, information security teams don't communicate well with other business units, which costs them valuable resources, as well as the general respect they need to get the job done.

Information security pros need to start recognizing the importance of business communication and speaking the language of business if they are to be taken seriously by senior management and the rest of the organisation, according to the results of a new study carried out jointly by (ISC)2 Inc., the industry training body and PricewaterhouseCoopers (PwC).

Security is about people, and if people are not interested or engaged by what you're saying, then you won't influence them

James Gay
CISOTravelex UK Ltd.

The two bodies asked senior CISOs working in UK organisations to identify how best to bridge the apparent communications gap that exists between information security, IT and senior management.

The full results of the study will be presented this week at RSA Conference Europe in London, offering some detailed advice to both management and security pros to help them work better together.

"Historically, business leaders and boards have tended to regard information security as a technology issue, but this is a complete misconception and needs to change," the report says. "The message is clear: Business leaders today ignore or underestimate information security risk at their peril."

PwC's research shows that many organisations' ability to secure their mission-critical corporate information is being undermined by a communications gap among the three key participants in any information security strategy: the business units, the IT function and the information security department. "Instead of working together toward common goals, these three stakeholders often fail to understand -- or even respect -- each other's roles and value to the organisation," it says.

While the business units often grudgingly accept the role that IT plays in the business, they often regard information security as a barrier to getting work done.

At the same time, IT feels underappreciated by the business and regards information security as the group that delays new system implementations by insisting on code inspections and penetration testing.

As for information security pros, they feel unappreciated and disliked by both the business and IT, and cannot understand why both of these units fail to understand the importance of their role. Yet when infosec pros try to explain the nature and scale of the threats facing the business and IT, the report says, they tend to come up against misunderstanding and incomprehension.

The study concedes that in some industries, such as financial services, regulatory and compliance pressures have helped information security sell the concept of security to the business and get security onto the business agenda. "But in most sectors this remains an uphill battle."

And yet, change could be on the way. In its new 2011 PwC Global State of Information Security Survey, PwC shows that chains of command are beginning to change in business, with more CISOs reporting directly to the board rather than through the CIO. The global study, based on information from 12,800 senior business people, found that 15% of CISOs now report to the chief operating officer (9% in 2007); 15% to the chief finance officer (11% in 2007); and 36% to the chief executive officer (32% in 2007).

"This appears to signal a growing executive recognition that security's strategic value should be more closely aligned with the business than with IT," the report concludes.

The communications gap
In their research with a group of UK CISOs, PwC and (ISC)2 uncovered a strong need to break down the communications gap among elements of the organisation. Stephanie Daman , head of information security risk at HSBC Plc., typified the general view: "Language is the biggest barrier," she is quoted as saying in the report. "In security [information security pros] don't speak business language, so what seems clear to us can sound like double Dutch to the people we are speaking to in the business. … Adding 'risk' to my job title has been very useful. The business understands 'risk'."

James Gay, CISO at Travelex UK Ltd., underlined the need for CISOs to have multiple skills: "As head of information security, you need to know about encryption, firewalls and so on. But if you go to the board and use that language, then you'll lose them immediately. Security is about people, and if people are not interested or engaged by what you're saying, then you won't influence them," Gay said.

The paper suggests the kinds of questions that could be used to help all three parties recognize and focus on their common goals. The programme, it says, should aim to articulate the importance of the organisation's critical corporate information -- ranging from customer databases to intellectual property -- and highlight the impact on the business should these assets be compromised. This means answering questions such as:

  • What information is most critical, and where and how is it held?
  • Why does it matter to everyone in the business that this information is kept secure?
  • Can the business place a value on this information in both financial and reputational terms, and if so, what is it worth?
  • What security risks does this information face, and what safeguards are in place to mitigate those risks?
  • What would be the financial, reputational and regulatory effects on the business if the information were compromised?

Five steps to success
To bridge the divide between business and information security, the paper outlines five steps for the business leader to take, also outlining what he or she should ask of the information security leader:

    1. Engage the whole board in the need for world-class information security standards, and get the organization's information security leader to outline threats and solutions, using straightforward business language and couching the message in terms of risk.

    1. Discuss future strategic technology choices, identify forthcoming changes in areas such as device and application usage and involve the security leader in assessing the impact and implications if these shifts happen.

    1. Rate the security of each business unit and, where risk is high, consider offering financial incentives to senior executives to help them focus on implementing top-level security standards.

    1. Bring together people from information security, business and IT to brainstorm the threats and opportunities and debate solutions.

  1. Over the long term, engage the security leader more deeply in the strategic agenda and future plans. Ensure that information security's key business role and relevance is understood and appreciated throughout the organisation.

Read more on Security policy and user awareness