5 Steps to Communicate Security's Value to Non-security People
In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively.
» View Article
5 Steps to Communicate Security's Value to Non-security People
In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively.
» View Article
Going back to ask for "5 more minutes" because you couldn't make the proper case when you had the chance is a no-win situation. You'll destroy your credibility. That is the risk of rehearsing without benefit of an audience; a technique that is not very effective. If you can get an objective person familiar with what you are trying to accomplsh to listen and critique ahead of your live presentation, you're chances of improving communication increases greatly.
We need to evolve as an industry.
This post is salient in this time of cost savings and staying afloat and the simplicity of the message has merit, but (pure and simple) what we don't measure and report on will limit us all in the end. Infosec needs a common taxonomy and measurement to show dollars spent in security means some measure of overall security. Why are we reinventing what has been vetted for a hundred years with the insurance industry and apply hazard and peril instead of threat and vulnerability?
I've been asking several folks that attend Metricon ( http://www.securitymetrics.org/ ) about this to no avail. Everyone is myopic about tactical security metrics and not focusing in on what non-security people want to know--
How secure are we?
If we use more/less resources, are we more secure?
Santarcangelo nails it. You could argue that it's worth the time and effort to understand your audience as well as you know your subject.
Sometimes big decisions come down to just one interaction, but usually it's an iterative process. But regardless of how well the message is crafted and delivered, there's going to be resistance. How security leaders deal with that resistance, individually and within groups, will determine the success of security efforts within that organization. Technique is important, but it helps to know why and how those approaches work, and what to do when they don't.
In “Changing Minds,” researcher Howard Gardner explains the process in detail:
http://reava.blogspot.com/2008/02/information-security-requires-changing.html
Perhaps the most revealing thing is to see how other messages are also influencing your audience, and how the competition for support takes shape.
Jeff - in fact we interviewed Gardner on this topic back in 04:
http://www.csoonline.com/article/219306/How_to_Change_People_s_Minds
- Derek Slater
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK