The importance of information security and technology risk management continues to grow, but many risk and security professionals continue to struggle with non-IT executive communication.
Speaking at the Gartner Security & Risk Management Summit in Sydney today, Gartner vice president and distinguished analyst Paul Proctor said one of the greatest challenges security teams face is not how to reduce risks but how to convey the benefits of risk management to leadership.
The pace of change in the age of digital business and the Internet of Things means risk and security professionals are forced into a state of continuous conflict between the business wanting to drive innovation, and the security team needing to rein in risk.
Executive decision makers want to know the business is adequately protected against risk but need to weigh the risks of yesterday and today against the opportunities of tomorrow.
Having reviewed more than 300 board presentations on risk and security, Gartner found that in the vast majority of cases, the reports contained too much information and fear, were overly complex, lacked alignment with wider business strategies, and had no connection to board-relevant decision making.
The challenge is how to get the two sides to work in harmony. To do that, security teams need to learn to communicate the benefits of security changes as much as they do the risks, says Mr. Proctor.
In his recent report on linking risk and security to corporate performance,Proctor had these eight practical tips for communicating benefits to executive decision makers:
1. Formalise risk and security programs
A formalised program is one that is repeatable and measurable. It contains four key phases: a govern, plan, build and run phase.
2. Measure program maturity
Using a maturity scale to measure your program identifies gaps and opportunities to improve. Maturity is also a good abstraction for executive decision makers who do not always understand technology.
3. Use risk-based approaches
Risk management is an explicit recognition that there is no such thing as perfect protection. Organizations must make conscious decisions about what theyll do, as well as what they wont do to mitigate risk. Stakeholders in non-IT parts of the business must make these decisions, not leave it up to IT professionals alone. But more importantly, risk managers must take a proactive approach to risk assessment and management. They need to manage risk, not be managed by it.
4. Use lead indicators of risk conditions
Risk managers need to define new leading indicators of business performance that includes both key performance indicators (KPIs) and key risk indicators (KRIs). They should not focus exclusively on IT-centric KPIs. Doing so perpetuates the notion that IT risks relate only to IT.
5. Map KRIs to KPIs
Most organizations have a plethora of operation risk and security metrics. While these are extremely valuable for internal operations, they have little value to business decision makers. Good KRIs are simple and measurable and have a direct impact on multiple KPIs.
6. Link risk initiatives to corporate goals
Using fear, uncertainty and doubt to get executive support doesnt work. Executives dont want to hear how bad everything will be if they dont invest in risk management and security. Its equally useless to cite returns on investment because risk does not return a tangible dollar for dollar value. The best way to win executive support is to demonstrate business value.
7. Remove operational metrics from executive communications
Dont use operational metrics to communicate at a business executive level. Executives lack the background and training to understand the meaning in a business context.
8. Clearly communicate what works and what doesnt
In a risk-based world, a business-oriented audience wants to know: What are our risks? What is our posture? What do we do about it? Communicate that well and youve won half the battle.
More information on implementing these tips is available in the Gartner report Eight Practical Tips to Link Risk and Security to Corporate Performance, available on Gartners web site at: http://www.gartner.com/doc/2818321
About Gartner Security & Risk ManagementSummit 2014
Gartner Security & Risk Management Summit 2014 helps security leaders to validate their security and risk management strategy, see what needs to be improved, kept the same or changed in their approach, and showcases the latest trends and technologies in information security. More information is at http://www.gartner.com/ap/security
Information from the Gartner Security & Risk Management Summit 2014 will be shared on Twitter using #GartnerSEC
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the valuable partner to clients in over 9,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 6,400 associates, including more than 1,480 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.