Executives to blame for bad risk decisions? Hardly. The real problem is our failure to communicate

The apparent inability of executives to understand and act on security information is generally a failure of security professionals to effectively communicate value. Here are some ways to fix it.

When it comes to protecting networks and information, people are routinely dubbed the weakest link. Lately, the notion that the executives in charge are making it worse is gaining traction, too.

If you believe either of those to be true, then you are likely the cause of the problem.

It is frustrating to struggle and fail to effectively communicate the value of security to others. When they don't understand, it's easy to draw the conclusion that they "just don't get it", and are probably incapable of appreciating security.

This is simply not true.

Especially when it comes to executives. They understand risk quite well. Often better than we do. The underlying problem is how security risks are communicated. It’s not so much the capacity of executives to understand and act.

This is where the friction of communication gets in the way. It creates a challenge for the security team to articulate risks and describe proper actions in a clear, understandable and convincing way. 

The friction of communication erodes value. It prevents the right information and context from being understood and acted on appropriately. Friction requires more energy and effort to connect value to people.

Time to change how we communicate the value of security

To get others to understand and act on security requires us to adopt a different approach. Minimally, it means matching the message to the audience, delivering it in a way that works for them, and taking the time to ensure mutual understanding.

Focus on what the audience needs to know not sharing (and trying to impress them with) everything you know.

Keep in mind that when navigating to mutual understanding, often you learn that initial assumptions were incomplete and the process moves you to a new understanding as much as it moves the audience, sometimes more.

Connecting the value of security to executives

Without a doubt, executives in organizations do pose unique challenges: many competing interests for their attention, different pressures, and the desire to adopt new mobile technology and work without restrictions.

Here are three things to consider in an effort to improve your ability to effectively communicate the value of security to executives:

1. Executives have a larger field of view

Executives have a different, often larger, field of view than others in the organization. As a result, when they dismiss identified risks in the larger scheme, they may be accurate. It depends on their understanding of the risk, which is directly dependent on how the security team communicated.

Instead of expressing frustration, ask for an explanation. Use the opportunity to learn more about the business (learn more about how to do that here).

2. Security must align value to the business

Security has a tendency to focus on "risk" like catnip, without first mapping the risk against the needs and objectives of the business.

Risk is not a zero-sum game. The real challenge is focusing on what matters to the company - and building the right solution to enable the business with the right protection (read more about how here).

Persuade others by capturing and distilling the value of the solution. Gather and provide clear and compelling evidence that shows how this meets their needs to increase business value while also offering the necessary protection(s).

The operative concept is value; security must align to the business based on value.

3. Translate complexity into understanding

Security professionals quickly accumulate thousands of hours of insight and understanding of the myriad of risks that face our organizations.

The problem is that it's often complicated to understand, and more so to explain. However, for executives to act on the information, the value must be translated from complexity into understanding. It needs to make sense to the audience.

This means investing the time to craft the right business story for the executive audience (check out why we need better stories here, and how to tell better business stories here).

When we skip this step, the audience remains disconnected from the impacts of the actions and decisions. Even if they agree they understand with the concepts presented (perhaps to avoid embarrassment), it likely does not register on an individual basis.

We act on what we understand

The challenge is not the information, nor the inability of executives to understand the information. The primary challenge is that security frequently fails to align the information to the audience.

Without understanding how security builds business value, executives naturally and justifiably focus on what they know.

Security professionals that work on translating the complexity of security into understanding—matched to the audience—enjoy more success. The executives they support benefit from a more accurate understanding of risk.

Connecting and effectively communicating value with others requires a shift in thinking and change in approach to work with executives in a way they understand.

This is a challenge we can overcome. When we do, everyone benefits.

Related:

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies