Enterprise security skills: the communication factor

Skills meltdown

John Colley is the managing director for Europe, the Middle East and Africa (EMEA) at (ISC)2, the largest body of information security professionals worldwide with over 90,000 members across 135 countries. If anyone should know a thing or two about communication in the security business, he should.

Rather surprisingly, Colley seemed to be in broad agreement with the suggestion that IT professionals are failing to communicate security risks to their organisations, telling IT Pro this wasn't surprising as "IT professionals don't always understand the security risks themselves."

Colley explained that it must be the role and responsibility of business security professionals to communicate to both the IT professionals and the business as "they are the experts at the coal face of monitoring the threat landscape to secure the business."

When it comes to what Colley thinks is really causing this communication failure, however, the surprise-factor is less evident. "Use of technical terminology is an endemic problem and perhaps one of the key reasons for communication failure between IT/security teams and the wider business" he says.

"IT and security professionals must speak the same business language. For instance, telling the business that it is likely to be hacked will not have the same effect as saying that if certain security measures are not adopted, the enterprise will likely lose its intellectual property."

One of the problems is that all too often IT has no way of understanding and assessing the value and sensitivity (and therefore the risk) of the company's data assets. Those people who do understand this value are the data owners in line-of-business roles.

Empowering the business leaders with formal data ownership and providing them with the tools to set and manage access to their data can achieve two big things, insists David Gibson, one of the vice presidents at Varonis. Big thing number one is increasing the company's protection of critical data assets and big thing number two is enabling IT to get out of the permission business.

"Let's say a bank teller noticed a stack of cash sitting unguarded in the middle of the bank," Gibson explains "in order to calculate the risk associated with these bills, the teller would need to know the asset's value."

Are they $100 dollar bills or $1 bills, and how much is the pile worth? Secondly, they need to know to whom the assets belong in order to communicate with someone that is responsible for the assets. In this case, any bank official would ask, who is responsible for this?

It's just the same with data. When IT finds piles of data that are exposed to too many people or otherwise not protected adequately, in order to communicate risk, they need to understand the value of the data, and communicate the risk associated with that data to the right people.

"In other words, they need to find data owners," says Gibson. What's more, since data isn't usually as clearly marked as cash, the owners are needed to help quantify the data's value in the first place. "With so much information housed in today's data driven organisations," says Gibson "IT and the business have often lost track of who is responsible for which data assets."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.