For any cybersecurity framework to be successful, it is essential that the chief information security officer (CISO) or equivalent figure be able to simply communicate with top management the state of security in the organization, present an improvement plan, justify it with the risk assessed and request the necessary resources.
The cybersecurity framework represents the methods of risk analysis and assessment of the security level, illustrates how to organize resources, defines roles, assigns responsibilities, performs checks, provides training and determines technologies and tools to be adopted. And although this is all helpful for solving an organization’s computer security problems, it can often include a lot of detail and specialized information that top management does not understand.
However, top management must understand this information in order to provide the necessary resources. Herein lies the problem—the specialist details included in the documentation and presentation. A business impact analysis (BIA) or other computer security document is suitable for process managers or for operating levels. The risk register is suitable for a risk manager. An operating instruction is suitable for operating personnel. But, when the CISO is in front of the chief executive officer (CEO), they only have a few minutes to gain the approval of the investments provided for in the plan. In order to communicate effectively, they need a different type of document that focuses on the connections between impacted business objectives.
The type of synthesis that is often typical of executive reporting is not sufficient. Communication should be based on the adopted framework and must have a clear connection with all business processes. Information that is too technical or specialized should be minimal as it reduces the size of the audience that understands and failure to understand can cause confusion, boredom or irritation.
Communication with corporate leaders requires open and creative communication using language that is aligned with corporate concerns.
The starting point is the risk registry. From this, the overall view can be created to help management understand the topics covered by the resolution plan or BIA while always being anchored to the organization’s objectives.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent two-part Journal article, “Communicating Information Security Risk Simply and Effectively,” ISACA Journal, volume 1, 2022.
ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!