As always, Senior Management ruins any kind of security measure

I read this article on Softpedia titled “63 Percent of Companies Run Cyber-Security Drills”. The bulk of the article discussed how more than half of the respondents companies perform cyber security drills. While I do not question the accuracy of the percentage, I do question the types of drills performed, frequency, and bias of those drills. Setting aside this, the article was well-written, and has many merits.

Near the bottom of the article I saw an interesting point and it got me wondering if we may have this all wrong.

As always, senior management ruins any kind of security measures (parsed)¬†Asked why not, 44% have said that their IT (or security) department does not have a spot on the company’s board to influence decisions, the department suffers from budget cuts, and their management personnel simply does not understand the severity of a security breach at all.

Furthermore, 84% of survey takers said that they consider un-managed privileged credentials as the biggest source of cyber-security problems, 81% anticipating an attack in the near future and also admitting that, despite their worries, they are still incapable of convincing senior management to take precautionary measures.

Some of the respondents claims was that within cyber-security senior management is a factor or a lack of IT presence within the board. While I get the concept that this may a cause problems within network security, I can’t help to wonder how the IT professionals are presenting the data to the board?

Do they present it a very high technical manner as I have done personally or was it “We need a new firewall to better protect ourselves”?
In either situation above the non technical board will respond without enthusiasm. Simply put it’s too¬†technical and they do not understand the risk to network security clearly, or it may come off as a “new bell and whistle”.

As technologist we may fail to consider many Sr Level Management folks do not geek speak. My advice to everyone when dealing with a non technical board is:

  1. Get the facts on the risk. Spend time on this.
  2. Explain the risk in layman’s terms. Pretend you are explaining this to 10 year old. (Not saying non technical boards have minds of 10 year olds)
  3. Show where your network security is now, and what it looks like after. Graphics, graphics, graphics.
  4. If you can get similar industry matches of breaches, and or attacks. Present and highlight them.
  5. Don’t use rounding numbers for cost, you come off as not knowing. Make sure you show the cost for each year after.
  6. IMPORTANT: Show the cost if the risk is exposed!!!! Last I looked if we are talking about private records, it’s about $200.00 per record, plus lawsuits.

While I understand there is a disconnect, we as technologist have to learn how to manage these types of relationships as do non technical boards. We must get better in explaining ourselves without throwing-up technology terms.