It's time for your annual compliance report to the board of directors, when you present the state of the corporate...
compliance program to executives. Your team has worked long hours and plugged as many compliance holes as possible on a budget. The only thing is, like most organizations, it's far from perfect. How should you handle this situation?
Make sure that you're using a vocabulary familiar to executives and removing linguistic barriers to understanding.
In this tip, we offer three simple rules for relating enterprise IT compliance program challenges to a non-technical, executive audience.
Rule #1: Keep it simple
The first thing you must remember when presenting compliance issues, or any technical topic for that matter, is that it's likely your audience has no idea what you're talking about -- unless the business of your organization revolves around technology. Executives are normally focused on activities that are directly related to the organization's mission. IT is lumped with human resources, accounts payable and similar functions in the "support services" bucket. While they are all critical to the organization's success, they do not directly perform the mission. Keep this in mind as you approach executives.
You can begin to overcome this challenge by using plain language. Make sure that you're using a vocabulary familiar to executives and removing linguistic barriers to understanding. For example, you're likely to see eyes gloss over if you start talking about "misconfigured proxy servers," but you will receive nods of comprehension if you talk about the "technology that allows us to block unwanted websites."
In some cases, you may need to bring technically complex issues to higher levels within the organization, especially when you need to acquire funding. Stick with the plain language rule even in those circumstances, and be sure to provide a business case for any investment you might need to make. For example, which one of the following pitches do you think is more likely to obtain funding?
- "Our backend e-commerce system suffers from a SQL injection vulnerability that violates provision 6.5.1 of the Payment Card Industry Data Security Standard. We need $100,000 to fund a contractor who will ensure proper input validation on all free-entry text fields."
- "Our website has a flaw that would allow an Internet user to manipulate our system and retrieve sensitive customer information. If this happens, we could be subject to a $500,000 fine and significant reputational damage. Bringing in help to fix this quickly will require a $100,000 investment."
You can see how the second example is much more accessible to a non-technical audience. And if you can supplement your argument with a live demonstration showing how information can be stolen, then all the better.
Rule #2: Confront the brutal facts
The second rule is borrowed from Jim Collins, author of the popular business book Good to Great, which will likely be familiar to an executive audience. Collins urges executives to always be diligent about finding the bottom-line truth of an organization's current situation. This certainly applies to a corporate compliance program. When presenting your current status to an executive audience, always be forthright and careful to avoid two extremes: sugarcoating the situation in an effort to alleviate concerns and fear-mongering in an attempt to gain additional resources.
Keep this advice in mind when painting your IT compliance picture to an executive audience: If you're not yet fully compliant or you've suffered a setback in an audit or assessment over the past year, confront that fact and explain it to executives using the plain simple language endorsed by our first rule.
Rule #3: Provide a realistic roadmap
The final rule for presenting IT compliance issues to executives is to always follow up the brutal facts with a clear roadmap for bringing your organization to a compliant state. Once you've outlined the barriers to compliance, explain how you intend to overcome those hurdles and achieve compliance.
In many cases, fulfilling the vision outlined in your roadmap will require an investment of time and money. It will probably also require the cooperation of business functions outside of IT. Clearly state the investment you need and remember to include the business case that justifies the investment. For example, if you have an audit finding that criticizes your password management practices, you might explain to executives that a failure to remediate the finding may result in auditors requiring the insertion of a footnote into next year's audited financial statements, which may be a red flag for potential investors. This is language that executives understand.
Presenting IT compliance issues to an executive audience can be a challenge. If you put compliance matters in the language of your business, present an honest assessment of the situation and provide a roadmap to resolve any open issues, you have a good chance of breaking through the barriers of misunderstanding and obtaining the resources necessary to build a solid compliance program.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.