ISF congress post 2: Communicating information security value to the business

Communicating information security value to the business using words and pictures.

Presentation by Steve Jump from Telkom SA SOC ltd.

I have high hopes for the usefulness of this talk as we all seem great at explaining and discussing security issues with other security and technical people, but fairly terrible at getting the board and other business people to understand the issues and importance of remediating them!

 

Highlighted at the start that this is a work in progress, but already proving useful.

If you are trying to obtain budget for upcoming initiatives  you need to get the board on board and ensure they understand the risks from a business standpoint.

  • Why business gets turned off by security
    • Too much shouting about risks, creating policies and standards, more talking about risks – who is looking at your data (criminals, governments, hacktivists), where is your data, more standards and policies
  • What the business actually wants (and needs) to talk about
    • What do these threats mean to my business?
    • Why should I worry?
    • How does this affect the bottom line?
    • What happens if I ignore you? (e.g. is the cost of doing nothing lower than the cost if fixing the issue?)
    • Can you put a value on that?
    • If I do ignore you, will anyone notice?
  • Its all in the words we use;
    • Business Impact Taxonomy!

 

Regulatory

  • Non compliance to legislation, risk of fines, prosecution etc.

Fraud

  • Illegal access to information leading to fraud, Identity theft, mis-representation, corrupt practices, banking and card fraud etc.

Theft

  • Theft of information or revenue, direct theft of assets

Service Availability

  • Service denial or interference

Business Agility

  • Prevention of business growth and reduced opportunity for profit due to reduced agility of systems and increased need to deliver custom protection of solutions.

Reputation

  • Loss of business reputation resulting from information loss or device interruption resulting in loss of credibility with customers and investors.

 

So that’s all the jargon sorted out?

Think of creating threat cubes – they have a LOT more words than this and are technical.

So how do we bridge the gab between the jargon and output from threat analysis etc. to a simple taxonomy the business can understand, relate to and use in budget and planning discussions?

 

Add pictures!

One for each of the six words in the simple taxonomy;

 

Warning triangle – Regulatory

Credit card – Fraud (may need to be different for you if you work in a PCI environment as this may get confused with the regulatory one)

Money Bag – Theft

Road block sign – Service availability (things with this could impact our ability to do business)

Rocket ship – Business agility – faster, innovative

Happy / sad masks – Reputation

 

So the taxonomy now has words and images for each item.

So when you create a threat cube or other form of threat analysis you can then relate each item on the list back to one or more of the taxonomy words and images – images can be added to aid understanding.  For reporting, each should be mapped to the main area it impacts.

 

How this works in practice;

  • Formal Information Security Risk assessment process
    • Asess solution, change product or service against technical business threat models
    • Identify key threats, recommend mitigations and evaluate impact of residual threats
  • Summarise business impact in business terms
    • Use six key business impact areas to describe and prioritise impact areas
    • Use business impact icons in formal / technical risk assessment (in body text and headings) to ensure continuity
  • Technical risk assessment and Business risk owners still work in different areas
    • Icons bridge experience and jargon barriers
    • Technical designers and security specialists understand business drivers
    • Business owners understand where technical short cuts will affect overall risk model

 

 

The chosen icons work on mac and windows as standard keyboard short cuts so should work across most businesses using Word / PDFs / spreadsheets etc.

For larger threats, use more icons – so one, two, or three icons depending on low, medium or high issues size.

For reference, the symbols used to represent the 6 areas;

Fraud 1F4B3 <Alt-X>

Regulatory 26A0

Theft 1F4B0

Service Availability 1F6A7

Business Agility 1F680

Business Reputation 1F3AD

If Unicode character is used (Win7/8 – type code, press Alt-x) it will display automatically if font is Segoe.

UI Symbol on Windows (Word/Excel/PowerPoint/Outlook) or as emoji font on OS X, iOS, Android.

 

It will be interesting to test this method out at work to see if it helps get engagement from the board and wider business.  This definitely seems like a good idea, and anything that will help engage and lead to greater understanding of security issues has to be worth a try1

It would be great to hear from anyone who s trying this method, or a similar one in their business.

K