Enterprise security skills: the communication factor
How important are good lines of communication as far as the enterprise IT security strategy is concerned? Davey Winder investigates...
When Tripwire carried out a detailed UK analysis of the Ponemon Institute's 2013 Risk-Based Security Management Study, it discovered something of a disconnect between an enterprise's commitment and its ability to actually deliver on that. The key takeaways from the very detailed analysis, can be boiled down to:
- Some 61 per cent don't communicate security risk with senior executives or only communicate when a serious security risk is revealed;
- Just shy of 40 per cent of collaboration between security risk management and business is poor, non-existent or adversarial;
- Less than half (47 per cent) rate communication of relevant security risks to executives as not effective' and when asked why this should be: 63 per cent said communication occurs at too low a level and 57 per cent said communications are too siloed. Furthermore, 56 per cent said the information is too technical to be understood by non-technical management and 50 per cent said negative facts are filtered before being disclosed to senior executives and the CEO. In addition just over one third (35 per cent) said it takes too much time to prepare report metrics to senior executives.
The results of this study would seem to suggest that integrating security risk into the day-to-day operational decision making of the business just isn't happening in the majority of enterprises.
Just how vital, therefore, are good communication skills? And, how can IT security professionals in particular develop new skills in this area to enable them to talk about risk in terms that are relevant to the goals of the business and so both understandable, and therefore implementable, by the powers that be?