Maksim Kabakou - Fotolia

Security Think Tank: Simplify infosec messages: If not X, then Y and Z

How can information security professionals help businesses to understand the cyber risks across increasingly digital businesses?

As a profession, we infosec people are very good at talking to ourselves about information security, but we are not good at getting our message out to the community as a whole, or businesses in particular. Why is that? Is it because we cannot find the right words or vocabulary to use? Businesses understand profit and loss, and the need and cost of marketing and sales.

Without marketing and sales, a company would not survive, but also in our increasingly interconnected world, without good information security many companies will inevitably fall victim to a security breach and, given the worst scenarios, fail.

So what is the message that should be given to “the business”? Simply that if you don’t do X, then Y will happen, and that will cost the business £Z.

Here, X is an information security control such as ensuring the IT estate is securely patched, or that all people in a company are given regular training and education in being good, security-aware citizens – and what to do when things start to go wrong. 

Y is, of course, a security breach. While this could be someone hacking into a company’s IT estate and taking copies of data, it is more likely to be someone opening a malware-infected email attachment, or clicking on a URL link in an email that takes their browser to a source of malware which could be ransomware.

£Z is the cost to the business of recovering from the breach. It’s the cost to the business that needs to be articulated and in a way that is understandable. Saying that it will take two days to recover from a breach isn’t sufficient. However, you do need to say it will take this long to technically recover the IT estate.

You also need to identify the potential cost to the business, and of lost productivity across the whole company, the anticipated loss in sales and the typical cost of using external specialist infosec help.

A funding request should ideally be written with the recommendations immediately following the management summary and structured along the X, Y and Z lines identified earlier.

It could be that that there is a range of options available. If so, prioritising the options along the lines of “must have”, “need to have” and “nice to have” will help the business come to appropriate decisions. It could be that any prioritisation is not identified, but used to influence funding negotiations. Detailed risk reviews and analysis, work identification and costs to implement, and the potential costs to the business if various works are not done should be included, but as supporting appendices.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on IT risk management