A panel of current chief security officers at the annual InfoSecurity Europe conference being held this week said adequately engaging the C-level suite is just as important as creating a security strategy.
"The business is there to make money," Avtar Sehmbi, head of information security and risk management at Centrica, a British utility company, said during Tuesday's panel discussion. "If you are heading a security department, you are selling what you're doing in terms of risks. Having an engagement strategy is quite crucial."While it's no secret that communicating the needs of the IT security department to executives to gain high-level support is essential, the challenge is speaking "the same language," said John Meakin, CISO of the marketing and international banking division of RBS.
Just as with any other type of enthusiast, information security professionals tend to talk at length about the intricacies of the discipline, leading listeners to lose focus, Meakin said. One of the greatest lessons he has learned in his career is to communicate in a way executives can comprehend.
"99.9 percent of people don't speak the same language as security geeks," Meakin said. "The key challenge for CISOs is to be able to speak convincingly in a language that mere mortals can understand."
The overarching goal for any security professional is to have high-level support. However, in order to reach that they must correlate how security investment meets the risk and growth strategy of an organization, Matthew Ford, information security offer at consumer goods company Reckitt Benckiser Group, said.
"It's the CISO that has to step forward and give [executives] the common framework and common language," Ford said. "Taking communication one step further [means] using negotiation and influencing skills."