Communicating Security Requires Two Vocabularies
- Ask the C-suite or the board what their top management concerns are to understand what the business’s risks are. Then you need to examine if they are comfortable with the risk levels in these top areas of concern.
- Making metrics meaningful to the CEO or the board comes down to the way you talk about security. Save the technical metrics for managing security operations, and speak to the risk the organization faces.
“Board members generally don’t speak technology, but they do understand risk, so you have to have two different vocabularies to communicate effectively.”
“When are metrics useful? When you’re running your IT security operationally,” says Kyle Hastings, a director of Cyber Risk Services for a global consulting firm. “You have to do the basics right and it’s very important to know how you are doing on patching your servers and workstations, and where you are with your antivirus updates and endpoint protection. Your incident response and security operations teams need to know, are they getting more efficient at closing off incidents? Are their response times getting faster? The length of time threats persist in the enterprise—is that getting shorter? These metrics are useful operationally for understanding how well your IT security teams are doing their jobs, but I don’t find them particularly useful at the board or chief executive level because they’re quite technical and low-level. Board members generally don’t speak technology, but they do understand risk, so you have to have two different vocabularies to communicate effectively.”