Manage Learn to apply best practices and optimize your operations.

How to explain information security concepts to business executives

Conveying complex information security models to business executives isn't easy. Here's how IT pros can improve their communication skills.

A recent survey sponsored by security vendor Tripwire Inc. produced a number of interesting data points, but one...

in particular stood out to me: 61% of respondents said they couldn't relay important security information that was too technical to nontechnical management. How can security teams in such a quandary explain information security concepts so that even nontechnical executives can grasp the importance of what they're saying?

Information security is a technical field. We work with intangibles -- things that cannot be seen or touched. We use a technical language that is often difficult for others to understand. Yet, we have to communicate to others outside of our field about the risks posed by technical problems.

Communication may be the most effective tool in a CISO's toolbox when it comes to reducing risk. It is also the most difficult skill to master, and even the best of us are occasionally unsuccessful. 

The Analogies Project has taken on the difficult task of explaining complex technical concepts through popular metaphors. This is a technique that I often use myself and find effective when communicating with nontechnical types. The Analogies Project takes verbal analogies a step further by providing pictures that immediately demonstrate the information security concept. For example, the leaky bucket is a wonderfully simple yet effective way to communicate how data leaks are similar to water leaks. 

There are a couple of considerations that I recommend when using analogies to explain information security concepts. First, know your audience and their level of familiarity with the concepts you are presenting. They may actually understand more than you realize and perceive the analogies as patronizing. Also consider whether your audience will understand the analogy itself. Most everyone understands the story of the leaky bucket, but does everyone understand the Elephant and the Six Blind Men? Analogies are powerful tools as long as you understand the context and your intended audience.

Information security professionals can also learn communication skills from physicians who explain highly technical medical procedures to patients and their families using a concept called plain language, which emphasizes use of words that can be easily understood the first time someone reads or hears them. Physicians use plain language to simplify information but still convey important points by omitting the use of detailed medical language that does not add to the patient's understanding of the procedure.  

This same approach can be used to explain information security issues to the executive team. "There is a problem in how the database connects to the Web server that could allow an attacker to compromise our data" is much easier to understand than explaining the importance of input validation to prevent a SQL injection attack, for example. It also respects the audience and does not come across as patronizing. You could also expand on the subject if you felt that the audience understood and wanted more detail.

There are many different tools and techniques that a CISO can use to explain information security risks to other executives. You should experiment to find what works best for you. Analogies, plain language, simplified explanations and other techniques all take practice to get right. It is time well spent, as communication is easily the most powerful tool in your arsenal to reduce information security risk for the organization.

Ask the Expert
Have questions about enterprise security management? Send them via email today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Information security program management