Explaining Information Security Risk to a Non-technical IS Owner? Oh Boy!

We all know the important role that information security plays in today’s world and how it can affect an individual, a small company, or even a multinational enterprise in a negative way. How important, you ask? Well, very important! This answer may not cut it when you tell it to someone who has a concept of you (as an information system [IS] security officer) standing alert outside an information booth in a recreational park with a shiny badge pinned to your chest and pepper spray in your hand, trying to protect park maps from being stolen. In my humble opinion, this person has every right in the world to think that the “ground zero” of information is present inside the park; after all, the park uses public tax money and needs to be protected, right? Now, I am not saying that is the case every time, everywhere, and with everyone. However, it is a fact that most IS owners are typically less technical then you are. So, if you tell them that you are here to secure the organization’s IS assets, then the next question from the owner will probably be, “When do you think our IS assets will be 100% secure and risk-free?” You are in trouble if you say that we will never be 100% secure and good information security does not just happen or often does not happen at all, or that resources are always in short supply and there are always other needs that seem more pressing. This, my friend, is next to kissing your next paycheck goodbye! For example, if I hire a babysitter and she tells me one day that my 1-year old child will not be “totally” happy and “completely” protected, then it’s a ding in my paycheck at the cost of my lack of satisfaction.

On the other hand, if you try informing the person that “we will be 100% secure by the end of the next fiscal year,” then not only you are negating the ISC2 Code of Ethics rules by hiding the truth from stakeholders, but also if (God forbid) the IS system is hacked and personally identifiable information (PII) becomes just a “Google” away, then it is not only you who gets the pink slip. The company, a partner, or even an owner could end up being released by the affected organization and possibly their contract agencies, as well.

Next, try telling this to a non-technical peer or, in a worst-case scenario, the boss that the database server’s frame-relay link to the secure area network (SAN) is broken and, due to non-availability of a hot backup link, the only disaster recovery (DR) recovery point objective (RPO) is up to the local host Redundant Array of Independent Disks (RAID) system capacity. You get the idea, don’t you?

So, here is the challenge! What, when, and how to explain to your IS owner and any related non-technical staff that you have come across an IS vulnerability. The good news is that for “what,” the answer is simple: tell them honestly about your discovery and speak in simple, plain language without impressive “techie” lingo and acronyms. For “when,” the answer is even simpler: ASAP! Unfortunately, the “how” factor is where most IS officers/engineers/consultants prefer jumping off a 1,000-ft. cliff with a 1,001-ft. bungee cord, hoping that with God’s almighty help, the cliff will grow taller with divine destiny from top to bottom of the “Rock of Fate.”

I will try to outline my limited experience on how to tame the “HOW”ling beast. Maybe this will help you in similar situations where everyone sees you as the “9-1-1 help line.”

1.  Start by giving a real-life example close to the technical situation at hand. For example, a virus threat is creeping into your protected network and you are trying (or at least planning) to isolate or unhook the infected e-mail server from the network. (By the way, virus threats can easily make you the number one victim of unlimited and unsolicited verbally, morally, and politically incorrect SPAMs from any source who is expecting a million-dollar, jackpot-winning confirmation e-mail any second now.) Start by asking a simple question, “If your elder child becomes infected with a contagious viral infection, what would you do to protect the rest of the family from the virus?” One answer might be to isolate the patient by asking him or her to rest in a separate room away from siblings, and then start treatment until the child is healthy again, right? Right! You get the picture.

2.  Second, nothing (and I mean absolutely nothing) will elicit a positive reaction from an IS owner in favor of your risk management plan or strategy until you present him or her with the final “horror” consequence if the threat is not dealt with promptly. For example, using the scenario in bullet 1, suggest that the IS owner take the infected e-mail server offline immediately and investigate, fix, and report the incident (sacrificing a few hours of non-production in the process). Otherwise, be prepared to possibly deal with an entirely infected network, which can take days to recover from the IS assets standpoint alone and even longer to regain stakeholder trust and confidence. In a worst-case scenario when a system is not repaired promptly, a permanent blemish could remain on the business and its reputation that could lead to other problems down the road.

3.  Finally, patience and persistence is the key to success! Don’t lose heart if you think you have been singled out, left alone, or if people treat you as the messenger of bad news all the time. Keep doing what you know is right and ethical to help protect the information from all possible threats.

Just my two cents. Well, three bullet points to be exact! Thanks. - Syed Khalil