Web security: Getting your message across to management

This article is the sixth in a series about digital business security from information security consultant Kevin Beaver.
Former U.S. President Gerald Ford once said that nothing in life is more important than the ability to communicate effectively. This is true for all aspects of life, including areas where it might not be so obvious, such as web security. Whether you’re trying to sell web security to management, make them aware of new security risks, or simply report on existing initiatives, everything you do when you communicate with management either helps or hurts the situation.
It’s easy to get in your own way. You might take the wrong approach when conveying web vulnerabilities. You might assume management knows what you’re dealing with. You might push a message (for good or for bad) to management without thinking about the longer-term consequences. You might even go as far as talking down to the very people you need to be educating, motivating, and lifting up so you can get – and keep – them on your side. Regardless, this communication is critical.

Management just doesn't "get" data on security

Several years ago, a Ponemon Institute study titled "The State of Risk-Based Security Management", highlighted the challenges of communicating security-related concepts to management. The study found that 59% of IT and security professionals believe that security metrics information is too technical to be understood by non-technical management. In other words, management just doesn’t “get” data on security, including web security-related reports. So, the audience is being blamed for not understanding what’s being said? This is an easy rut to fall into and leads to the same trap of security ignorance that management itself is often blamed for. This is not only bad for web security, it’s also bad for your career and the business as a whole.
A big reason management doesn’t take interest in web security is because they haven’t been presented with the right information. Quite often, the information management does receive is super technical and doesn’t explain the business impact to the organisation. The very thing that management needs to know and base their decisions around is simply glossed over and the struggle continues. You need management to have good information so they can make informed decisions and prioritise the approach that’s best for the business. And it’s not the information in and of itself but rather how it’s presented.

Don't be afraid to ask leaders what they need

Quite often, people aren’t motivated to do things until there’s a pressing need. The fear of loss and the desire for gain are the two driving forces behind most decisions people make. It’s important to understand that the fear of loss can be twice as powerful as the desire for gain. You can use this to your advantage when communicating web security-related concepts to business leaders. Instead of confusing management with technical details, present them with information they can relate to. Understand what management is looking for in terms of web security. Don’t be afraid to ask them what they need. Be it web risks that were avoided, compliance requirements that are being met, or technical controls that may be needed for remediation, good information presented in the right way will equate to good results.

Communication will make or break your success with web security

The lack of a clear message and misguided priorities are two big things that hold organisations back in terms of web security. Unless and until you properly demonstrate what’s important and how you’re going to go about resolving the issues, you’ll continue to struggle with getting – and keeping – others on your side. Communication will make or break your success with web security. The better you convey what’s needed, the more credibility you’ll have and the more trust you’ll build with management. When you do that, you’ll develop strong relationships with the very people who ultimately control how effective you can be in your job and the overall security posture of the business. It’s a win-win.
About the author
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specialises in independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,000 articles on security and regularly contributes to TechTarget's SearchSecurity.com, Ziff Davis' Toolbox.com, and Iron Mountain’s InfoGoTo.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin races cars in the SCCA Spec Miata class and enjoys riding dirt bikes and snow skiing.
If you want to know more about how you can increase the revenue of your digital business by offering add-on insurance using state-of-the-art API technology, please contact us directly or book a time for us to call you, its free and there are no strings attached.

We will be happy to contact you at a time that suits you, for a free, no-obligation consultation.

Recommended Reading
Who should be responsible for web security? 12 February 2020
Common website vulnerabilities you must defend against 06 February 2020
© PSA Insurance Solutions,
PSA Insurance Solutions Ltd Reg No: C83206 is a limited liability company under Maltese Law, having its registered address at: MIB building 53 Abate Rigord Street Ta’ Xbiex Malta, Tel + 356 22 58 34 92. The company is enrolled to act as an insurance agent in terms of the Insurance Intermediaries Act, 2006 by the Malta Financial Services Authority (MFSA), Notabile Road, Attard BKR 3000, Malta.