One of the best skills an information security professional can have is the ability to know how to present security issues in business terms. Having this skill will get your point across to the decision makers so they can give the necessary money for new security initiatives. You, of course, can explain to management what can happen if a certain security initiative is not carried out (i.e. customer credit card numbers could get stolen, a company could be put in the headlines, a CEO could go to jail for not ensuring proper controls, etc.). There are a lot of horror stories out there that demonstrate the seriousness of security flaws. Compliance requirements and fines, not to mention jail time, can also serve as a catalyst to get their attention.
It is also important to show management that security is a business enabler, not just a drain on the bottom line. Most businesspersons understand risk appetite and the opportunities that risk can provide for the company. In the business world, risk is not always a bad thing, as we in the information security tend to view it. There are several ways to show how security practices help the company in other ways than just pure protection.
A strong security system:
Finally, you shouldn't expect management to change; if you're struggling to connect with them, you need to adjust your approach. Understand the business, its drivers and its objectives. Tie security to these business aspects and illustrate this relationship to management. Carry out cost/benefit analysis. Present management with data in a format that they can understand and use. You need to show management that you understand a company is not in business just to be secure. A company is in business to profit, and security needs to support these goals as best as it can.
This was first published in December 2006