Communicating the importance of security investments to top business executives is hard to do when you can’t assign a ready number to a loss that was prevented.
Four security practitioners shared a few tips for doing so at The Security Standard conference in Boston: Scott Blake, CISO of Liberty Mutual Insurance Group; Tom Bowers, manager of information security operations at a large drug maker; Jeff Platon, vice president of security marketing at Cisco Systems; and John Schramm, senior VP of enterprise information security at Fidelity Investments.
Among their suggestions:
• Keep it real. Use examples from your business to make your points about the need for security investments.
• Use examples from media reports, too. The idea is to communicate through these examples the fallout from security incidents. And discuss how you are addressing such risks at your company.
• Make security investments relevant to business strategy. Project your recommendations about security investments through the lens of your organization’s priorities.
* Follow the rules. Compliance with government regulations is a risk management issue. Security executives need to communicate clearly about compliance-related security investments and what failing to comply could mean for a company and its top executives.
Keep checking in at our Security Feed for updated news coverage.