Why communication is critical for web security management

Former U.S. President Gerald Ford once said, "Nothing in life is more important than the ability to communicate effectively." This is certainly a critical element of enterprise web security management.

Whether you're trying to sell web vulnerability and penetration testing, make others aware of security risks or keep people on board to support web security efforts over the long haul, everything you do when you communicate with management either helps or hurts you; it either moves you toward your goals or away from them.

All too often, those of us working in IT and security get in our own way, as we assume executives know what we're dealing with. We take the wrong approaches, we push technical jargon on management without thinking about the consequences and we go as far as talking down to the very people we need to be educating, motivating and lifting up.

A study from the Ponemon Institute a few years back highlighted the disregard technical professionals have for those who are running the business. It found that nearly 60% of the IT and security professionals surveyed believed that security metrics are too technical to be understood by nontechnical management.

In other words, management just doesn't get the data these IT and security professionals have access to and, thus, it's the audience's fault rather than the fault of the message that's being delivered. This trap of ignorance that many in the field often blame management for is more of a reflection on technical professionals and their lack of communication abilities than anything else.

Many IT and security professionals focus their efforts on generating the most technical vulnerability and penetration testing reports they can. Not unlike what lawyers do with their contract legalese, it seems that some people are so enamored with their technical prowess that they can't help but assume that everyone on the receiving end of their deliverables will be nothing but impressed by what they see -- and security assessment reports are not the only things that are impacted.

This approach to web security management impacts all aspects of the security function, from proposals to project management to remediation efforts, and even dealing with SOC audits and those dreaded security questionnaires. And it's bad for web security, bad for the business and bad for the careers of the people communicating this way.

While there's nothing wrong with technical information -- we have to have it, as the details provide everything network admins, security managers and developers need to resolve web security management problems -- it can leave management wondering why any of this stuff matters to the business.

If you're in charge of -- or play a role in -- web security, you must break this cycle. Understand what management is looking for and don't be afraid to ask them what they need. People aren't terribly motivated to do things until there's a pressing need, one that's often personal in nature. In fact, the fear of loss and the desire for gain are the two driving forces behind most decisions.

Rather than pushing information that management can't relate to, put things in their terms.

This is especially obvious when it comes to executive behavior toward information security. Many in management simply don't care about web security because they haven't been presented with the right information. It's your job to find out what they need and how to present it properly.

Rather than pushing information that management can't relate to, put things in their terms. How do the issues at hand impact the organization as a whole? Will the insight enable management to make informed decisions? Can they prioritize the approach that's best for the business? Adjust your message depending on who you're speaking to.

You not only have to know your enemy with web security, but you also must know your audience in terms of what message you're trying to convey. You have to get past the geek speak trap that's so easy to fall into. Think about the bigger picture of what you're trying to accomplish every time you communicate.

The lack of a clear message and misguided priorities are two of the things that hold people back with web security management. Once you properly demonstrate what's important and how you're going to go about resolving the issues to help the business as a whole, you'll get -- and keep -- the right people on your side.