{"id":20558,"date":"2023-01-11T23:27:59","date_gmt":"2023-01-11T19:27:59","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/business-soc-communications\/20558\/"},"modified":"2023-01-11T23:27:59","modified_gmt":"2023-01-11T19:27:59","slug":"business-soc-communications","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/business-soc-communications\/20558\/","title":{"rendered":"How to improve communication between information security staff and management"},"content":{"rendered":"<p>No company can operate successfully without smooth cooperation between the general management and the specialists responsible for different areas of the business. Such cooperation of course requires communication, which can sometimes be difficult since managers and specialists work in different information bubbles and often speak different languages. Management thinks about profit, costs and development; specialists \u2013 and the information security service is no exception \u2013 think about their specific technical tasks.<\/p>\n<p><a href=\"https:\/\/www.kaspersky.com\/blog\/speak-fluent-infosec-2023\/\" target=\"_blank\" rel=\"noopener nofollow\">A recent study<\/a> conducted by our colleagues found that, while mutual understanding between business managers and information security specialists is generally growing, problems do still exist. In fact, 98% of the business representatives surveyed said that they experienced a misunderstanding with the information security service at least once. As for direct consequences of such a misunderstanding, 62% said that it had led to at least one security incident, while 61% reported negative impacts to the business \u2014 including losses, losing key employees, or a worsening of communication among departments. At the same time, the security professionals themselves are not always aware of any problems: 42% of business leaders would like the security specialists to communicate more clearly \u2014 but 76% of those specialists feel sure that everyone understands them perfectly!<\/p>\n<p>There are often problems with the language used: managers generally don\u2019t understand all the technical terms that information security services use. But terminology isn\u2019t the only problem in the communication between the managers and information security \u2014 in fact, it\u2019s not even the main problem. Let\u2019s attempt to understand the other issues with the help of Patrick Miller, Managing Partner of Archer International, and his <a href=\"https:\/\/youtu.be\/d-Z6Ip1oyvc\" target=\"_blank\" rel=\"nofollow noopener\">speech<\/a> at the Kaspersky Industrial Cybersecurity Conference 2019.<\/p>\n<h2>Different ideas about risk<\/h2>\n<p>Most information security specialists have a very low risk-tolerance threshold. But in business, the opposite is true: without risk, there\u2019s no profit, so managers are often ready to take greater risks. For the boss, the main goal is to find the ideal balance between potential profits and potential losses. The real goal of the security department, as strange as this may sound, is not to eliminate all threats but to help the business earn as much as possible.<\/p>\n<p>From the business point of view, risks can be accepted, avoided, reduced, or transferred (for example, to insurers). Managers will try to take as many risks as possible to increase profits. Information security is just a small part of the picture for them: they probably don\u2019t even want to think about it.<\/p>\n<p>As a result, information security specialists should not think about how to close all the gaps, but rather how to identify and neutralize those threats that <em>really<\/em> could cause serious damage to the business. And, consequently, they should also think about how to explain to managers why it\u2019s worth spending money on resolving something.<\/p>\n<h2>FUD doesn\u2019t work<\/h2>\n<p>Trying to persuade managers using tactics of fear, uncertainty, and doubt (FUD) is not going to work because getting scared isn\u2019t what the business pays the information security service for. Specialists are there to solve problems \u2014 ideally so that no one even notices that there are any.<\/p>\n<p>Another problem with using FUD is that managers are already pretty stressed out, simply because any mistake they make could be their last: there are a lot of folks around who\u2019d jump at the chance of taking their place, they don\u2019t really trust anyone, and so on. They just don\u2019t need any extra fear factors.<\/p>\n<p>And finally, no boss likes to show that they don\u2019t know something. Therefore, any attempts to bombard management with smart-sounding terms are obviously doomed to fail.<\/p>\n<h2>Think like a business<\/h2>\n<p>The main goal of any commercial business is to earn money. All managers look at everything from this point of view. That\u2019s what they know how to do. Therefore, if an information security specialist comes to them and says, \u201ca threat has appeared and we need to invest X amount of funds to neutralize it,\u201d what the manager hears is \u201cif we take a risk and do nothing, we\u2019ll save X amount of funds.\u201d Sounds crazy, but that\u2019s exactly how business thinks.<\/p>\n<p>For the manager, it\u2019s essential that any of their actions (or inactions) results in positive financial numbers \u2014 even if such a positive number happens to be the difference between two negative ones. So, the situation must be presented to the management in a form it can understand: \u201cThere\u2019s a threat with a Z% probability of causing Y damage to the business. We need to spend X to neutralize it.\u201d This is an equation that makes sense to the business mindset.<\/p>\n<p>Of course, it\u2019s not always possible to realistically predict the cost of potential damage, so you can use known values such as downtime (during which the consequences of the incident would be cleaned up), the amount and type of data that could be lost or compromised, reputational losses, and so on. The business can then convert this information into understandable numbers \u2014 with the help of relevant specialists. But it\u2019s better if the information security team can do this themselves, since it saves a lot of time.<\/p>\n<p>Naturally, there\u2019s always the possibility that the equation won\u2019t work out in favor of information security. This isn\u2019t always a problem of miscommunication \u2014 maybe the managers hear and understand everything perfectly, but it\u2019s just more profitable to take the risk. Either that or information security wasn\u2019t able to convincingly argue their position because it didn\u2019t learn to think like a business.<\/p>\n<p>The key here is to have a good grasp of the information security service\u2019s position within the company and the profit it generates. This will make it possible to better evaluate and classify potential threats, avoid wasting your own and other people\u2019s time and nerves on initiatives that clearly won\u2019t go anywhere, and in general to work more efficiently.<\/p>\n<h2>The time factor and deadlines<\/h2>\n<p>For security, the time factor is crucial: some threats must be protected against immediately. But time is also important for business, because for it \u2014 time is money. You can spend the aforementioned X amount of money today, but if you do so in a month, then in skillful hands X will turn into X*n, and X*(n-1) will stay in the bank.<\/p>\n<p>Even if the managers understand the problem well and know that it must be solved, they won\u2019t rush to spend money unless they\u2019re given a clear and well-argued deadline. They should also be notified that once the deadline passes, they automatically take responsibility for the specified risk, since then information security can only clean up the consequences.<\/p>\n<p>This deadline should be as realistic as possible. If information security is always demanding a decision to be made \u201cyesterday\u201d, then management will stop listening and instead treat it like the boy who cried wolf. And if it\u2019s always saying \u201cwell, you can decide within a year\u201d, they\u2019ll simply be fired following the next incident (or simply made redundant). It\u2019s important to be able to assess and set the real deadline and highlight the potential risks.<\/p>\n<p>It\u2019s worth noting that very few companies simply keep reserve money in their accounts, waiting for the chief information security officer to come and tell them where to spend it as soon as possible. Funds to solve the problem will have to be taken or borrowed from somewhere, and this can take time. And, by the way, in order to understand the time it takes, it\u2019s also important to know how the business works and is financed.<\/p>\n<h2>Be a marketer<\/h2>\n<p>To communicate effectively, information security specialists should have some marketing skills; then they can sell their solutions to the boss(es).<\/p>\n<ul>\n<li>Offer a solution, not a problem. Obviously, you can\u2019t sell a problem.<\/li>\n<li>Whenever possible, rely on real and easily verifiable precedents. Managers love them \u2014 they reduce uncertainty.<\/li>\n<li>Instead of technical terms, use engaging sales language and slides with colorful charts.<\/li>\n<li>Offer several options \u2014 including the clearly unfeasible ones.<\/li>\n<li>Fit the whole offer on one page \u2014 nobody will read any more than that.<\/li>\n<li>Use synonyms for the expression \u201cinformation security\u201d: risk reduction, ensuring resilience\/continuity of work processes, maintaining operational efficiency, downtime reduction, damage prevention, and so on.<\/li>\n<li>Keep emotional language to a minimum and maintain a business-like, professional communication style.<\/li>\n<\/ul>\n<h2>What to do?<\/h2>\n<p>Soft skills are the key to successful business communication. You need to be able to get out of your specialized bubble and learn to talk to managers using the language and contexts they prefer. Though they might want to, they can\u2019t dive deep into all the technical details of every department in the company. For the information security service, it\u2019s important to recognize that you\u2019re just one part of the business, to know how it works, and to help get the maximum income with minimum costs.<\/p>\n<div style=\"background-color: #e5f0ec; padding: 10px 25px; margin-bottom: 10px;\">\nAnd it\u2019s also worth checking out the results of our latest research study \u201c<a href=\"https:\/\/www.kaspersky.com\/blog\/speak-fluent-infosec-2023\/\" target=\"_blank\" rel=\"noopener nofollow\">Fluent in InfoSec: Are c-level executives and IT security managers on the same page?<\/a>\u201d\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Miscommunication between a business and its information security service can lead to unnecessary losses. Today we try to work out how to overcome the communication barrier.<\/p>\n","protected":false},"author":2725,"featured_media":20559,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[1461,1014,1022,1927],"class_list":{"0":"post-20558","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-budget","10":"tag-communication","11":"tag-risks","12":"tag-soc"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/business-soc-communications\/20558\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/business-soc-communications\/25066\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/business-soc-communications\/27649\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/business-soc-communications\/25388\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/business-soc-communications\/25857\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/business-soc-communications\/28370\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/business-soc-communications\/34570\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/business-soc-communications\/46753\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/business-soc-communications\/20095\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/business-soc-communications\/20727\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/business-soc-communications\/29750\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/business-soc-communications\/25795\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/soc\/","name":"SOC"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2725"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20558"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20558\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20559"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}