Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Bernie Rominski: Communicate Effectively with Management about Risk

Learn how to communicate with senior management about risk; it's your job.

I think I might be spending too much on information security.

I'll bet that's something you don't hear every day. It's an ice-breaker that I've been thinking of using at an upcoming meeting with senior management regarding information security risk. Of course there's also a chance we're not spending enough; it's just the other side of the same coin, but I figure my executive leadership might be more intrigued with the former possibility. I know reducing operating expenses is a high-priority concern for them recently, so that might really get their attention.

The fact is that our security budget is right where it should be. If it's not, it's my fault. Why? Because my most important and challenging responsibility is making sure management understands what they're getting, and what they're not getting for their information security budget dollars. If they are making informed risk decisions that drive our security strategy, the budget will be there. Likewise, if the security staff attempts to make those decisions in a vacuum, we'll be apt to flounder trying to cover all the bases, spending more than we need while feeling that we are under-funded.

Senior management is ultimately responsible for addressing all business-related risk. They are accountable for all outcomes from our business activities, good or bad. Some risks they understand very well, others they need to have a good sense of but depend on the counsel of experts in their various areas to feel adequately informed. Information security risk is something the typical executive might not understand as deeply as a security professional, nor should they. We don't pay our CEO to be an expert in the latest Web application firewall technology, and thankfully we don't pay our security manager to make decisions on buying, building and operating hair salons. We have our areas of responsibility, but we're on the same team trying to carry out the same mission.

Early in my IT career, a CFO I worked for taught me some great lessons. I'll never forget one of the things he used to say regularly: "Bernie, explain it to me like I'm a 10-year-old." Of course he didn't mean to suggest the average 10-year-old isn't smart. What he was saying in his very tactful way, was that he wasn't interested in learning all of the techie ins-and-outs of the situation, that I shouldn't waste his time with fancy IT acronyms, and very importantly, that I shouldn't worry I'd offend him with my "dumbing down" of the subject matter. I was very appreciative of his method because though we did have very different duties, we both had a responsibility to find a way to communicate about the things we needed to in order to get our jobs done.

I hesitate to make this comparison, but I'm reminded of certain public service announcements urging parents to talk to their kids about drugs. It might seem a bizarre parallel, and I wouldn't dream of suggesting we view our management as kids who might not know what's good for them, but one thing the announcements try to suggest is that as vast a communication gap as you might be facing, it's important to find a way to talk about topics that are important. These announcements aim to prepare you for an impatient audience that is far more likely to roll its eyes at you than to say "thanks for caring," The theme is that there's always another way to bring up the topic. If you're creative, and you know your audience, you can help make those connections. It just takes effort, and though it might seem sometimes like an uphill climb, we have to keep trying.

One effective way to build that connection is to make sure your security strategy is lined up with business objectives, and that you address security in the context of those objectives. If you speak with management about specific goals they're trying to reach, you're getting on the right page. Every business is different, but there should always be ways to build on the theme of alignment.

It's not an easy job, but we're the security experts, so the onus falls on us to help bridge the communication gap. We need to find a common language that works for us and our management. We should use whatever means are available to us to find that common ground--formal risk assessments, informal risk assessments, collaborative workshops, cave-drawings--the medium is less important than the goal; we need to keep talking, and we need to keep trying to talk better.


TITLE IT security officer
COMPANY Regis Corp.

  • Tasked with building an information security program and implementing controls to meeting PCI DSS and Sarbanes-Oxley requirements
  • Developed a security policy framework and conducted enterprise-wide risk assessment
  • Secures millions of transactions at its 8,500 retail locations in the U.S.; manages a team of six
  • Must contend with constant merger and acquisition activity, requiring an agile security program
  • Implemented an encryption program that would encrypt and securely transport credit card numbers from its retail locations to the company's Minneapolis data repository
  • Deployed data loss prevention tools to analyze transactions for fraud and other card abuse
  • Member of ISACA, ISSA and CSI

Bernie Rominski is a security craftsmen, building a security and risk program in short order that examines the integrity of millions of relatively low transaction amounts taking place in thousands of locations. His policy and process development sealed significant compliance gaps and guaranteed the security of his enterprise's transaction data.


Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.
Article 3 of 12

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All