David Hoelzer's post How to Present Audit Findings Effectively emphasized the need to frame security discussions by referring to the organization's internal "currency" that's not necessarily financial. After all, information security is usually a means of accomplishing some goal. The extent to which security contributes towards or detracts from that goal might be described using some form of currency. I'd like to build upon this idea and possibly take it in a slightly different direction.
Organizational Internal Currency
As David pointed out, "putting audit reports and risk assessments in terms of dollars and cents is the most motivating context for management" in most organizations. He also explained that money isn't the only internal currency you can refer to.
For instance, you might be able to engage your audience by framing the discussion in terms such as:
- The company's reputation
- Service availability
- Organizational culture clash
- Protection of trade secrets
In theory, risks related to these factors can ultimately be described in terms of financial expenses. However, sometimes when aiming to frame security discussions in financial terms, people make up numbers or use meaningless calculations.
You might not have enough data for monetary computations and might be tempted to make hopeful, but possibly incorrect assumptions. Rather than give up and begin talking about security as if its importance is widely acknowledged, consider other forms of internal currency that might resonate with your audience.
Individual Internal Currency
I'd like to take a somewhat Machiavellian perspective on this matter, very possibly diverting from the road map charted in David's post. (So don't blame him if the following rubs you the wrong way.)
Remember that companies don't make decisions. Instead, individuals working for companies make decisions. As the result, consider which form of internal currency is most relevant to the person with whom you're interacting. Though the person operates within a company that pursues certain, usually financial goals, he might have more immediate concerns related to avoiding:
- Looking bad in front of his manager when a data breach occurs
- Being fired or demoted as a scapegoat
- Spending time away from his family dealing with a drawn-out security incident
- Being known as the person on whose watch a major security issue came up
- Having to ask for funds beyond the budget allocated to security spending
- Losing support for his favorite security product roll-out project
- Being blamed for being the one who failed a compliance audit
- Losing respect of his peers due to weak security posture
Keep these subjective concerns in mind when preparing to discuss your information security findings, recommendations or requests.
The goal of accounting for internal currency isn't to distort findings or manipulate the organization or the person into making bad decisions. Rather, it's a technique that helps capture the attention of the audience in the context within which the security program exists. Your discussion still needs to be based on accurate observations, factual information and, whenever possible, empirical data.
In the perfect world, we'd have all the data we need to calculate the best outcome congruent with the organization's strategic goals. In the mean time, recognize that internal currency can take other forms than money and might differ across individuals within the company.
For more thoughts along these lines, take a look at my article Situational Awareness for Information Security Professionals.