Security professionals' inability to communicate effectively with the enterprise is one of the most common reasons for the failure of their activities. Chief information security officers (CISOs) and professionals in related disciplines need to address five key reasons for these communication problems.

• Communication difficulties represent one of the primary reasons for the failure of security and risk management activities, and for the marginalization of security and risk management organizations within enterprises.

• Security and risk management professionals continue to speak a different language from business leaders — and they shouldn't expect business leaders to bridge this communication gap.

• Security and risk management professionals not only communicate differently from business leaders, but also communicate about different issues — issues that are commonly not of interest to the business leader.

• Communication between the security/risk functions and the business are slowly improving, although most often in industries — such as financial services and healthcare — where the importance of enterprise risk management is more widely recognized.

• Recruit security and risk management program leaders from outside the technical disciplines. Seek individuals who have broad business, communication, and leadership skills and experience, and can address the needs of the business.

• Encourage and motivate security and risk management personnel to acquire applicable business skills. This may mean anything from studying business writing or communication to taking an internal class to learn about how the enterprise or a specific business unit works.

• Seek out and cultivate sympathetic stakeholders across the enterprise who can help you refine and communicate the security and risk management message. Use their expertise to identify accessible early "wins" that can demonstrate the business value of security and risk management efforts to a larger audience.

Gartner client inquiries make it clear that one of the most serious problems facing security and risk management professionals is their inability to communicate effectively with senior executives, line-of-business managers and other key business decision makers. CISOs and others with security and risk responsibilities find it extremely difficult to articulate their agendas; to demonstrate the value of their programs, processes and controls; to indicate that they understand the key risks of their business "clients"; and — crucially — to justify the expenditures on their activities. These communication problems have adverse effects that flow in the opposite direction as well, with security and risk management efforts that fail to meet the needs of the business. The result is a vicious circle, in which poor communication results in inefficiencies and failures, which, in turn, diminish the perceived value of the enterprise's security and risk management initiatives.

Gartner has identified five key failures in these crucial interactions between security and risk professionals and their clients in the business, as well as measures that security and management professionals can use to help overcome them. There are no simple solutions, but an ongoing effort to improve communication will deliver clear, recognizable benefits. There are five key reasons security professionals can't communicate effectively and productively with the business.

Security personnel tend, of course, to come from technology backgrounds. A typical career path for a security professional has been for a security function to evolve from the part-time responsibility of a network or system administrator. It is natural for these individuals to think and speak in technical jargon. (They eventually tend to adopt specialized security jargon, which might be considered a separate "dialect" of IT language, isolating them somewhat even from other IT personnel.)

Moreover, it is a basic human tendency for people who are under stress — and security and risk management professionals are almost by definition under constant stress — to fall back into their "comfort zones" in terms of what they talk about and how they talk about it. Thus, they communicate about security and risk management issues from a technical and tactical perspective, and in technical and tactical terms. In essence, they talk about threats, when the only thing that interests the business is the risk resulting from those threats.

What to do about the problem:

• Practice your presentation, recording yourself on video and watching and listening to your presentation. If you were a business stakeholder, would you care about what you are hearing? Does it make you interested or get you engaged? If not, you clearly need to work on your presentation skills.

• Honestly evaluate your own presentation. This may be the most difficult activity to undertake with regard to closing the gap in the communication channels, but it may be the most important. Try to independently evaluate the content and the delivery of the message. Think about how your audience might understand what you're saying.

• Pay close attention to your audience. If your listeners look bored — if they're looking at their computers or their mobile phones, for example — they probably are.

Sometimes, the problem isn't what you say, but how you say it. If the presentation is poor, it will be difficult to get your point across, even if the message is strong. Few security and risk management professionals have received training in how to speak to the business in language the business understands — or about issues that matter to the business. Gartner's long-standing advice to enterprises has been to recruit IT leaders from outside the narrow technology disciplines, and to train the leaders who are already in place in basic business communication.

It is extremely important for enterprise security and risk management personnel to move beyond the stereotype of the introverted, uncommunicative "tech geek," and develop individuals who are comfortable discussing security issues with the most senior business leaders in terms those leaders understand and care about. In many respects, this is fundamentally a question of moving away from technical jargon and narrow technical concerns. (Some enterprises have had considerable success by simply creating two word lists: one of terms that can be used when communicating with non-IT personnel, and the other of terms that are never to be used.) Another critical issue is learning to avoid overloading business leaders with excessive detail. A 50-page document or a 50-slide PowerPoint presentation is likely to have the opposite effect to what is intended, and actually make the intended audience look at only the opening page or slide — or ignore the deliverable entirely. Be prepared to answer questions in detail, but don't base your presentation on the recitation of highly technical details.

What to do about the problem:

• Recognize that meetings with business managers are not only inevitable, but also desirable, and prepare appropriately for them. As the old saying goes, "You don't get a second chance to make a first impression" — and you can't expect to "improvise" successfully.

• Take a class in business writing, presenting or related skills. Find out whether an enterprise training program or budget is available, and learn business-focused skills, for example, instead of getting another security certification.

• Leverage the enterprise's available communication tools. If a standard document or presentation template is available, then use it instead of trying to create your own. Be careful about getting overly dependent on the "bells and whistles" that presentation software offers — say "no" to clip art and images that don't contribute to the message.

• Create a taxonomy document, and populate it with appropriate business terminology. Technical jargon, "buzzwords" and other specialized terminology can sometimes be helpful, but they should be used sparingly and in the appropriate content.

The simple reality is that business leaders are preoccupied with issues that do not bear directly on security and risk management, and the higher-level those leaders are — and it is, of course, the higher-level leaders the security professional needs to reach — the more preoccupied they are. The business leader's primary concern is to deliver on the mandates of the business, so it is always difficult to find time in their schedules. When a security professional does manage to gain the business leader's attention and fails to use that opportunity effectively to demonstrate the value of current or proposed activities, it will be even more difficult to get on that business leader's schedule next time. Moreover, and even more crucially, this disengagement means that the business leader is not involved in the security and risk management decision-making and governance processes, and is far less likely to be accountable and accept responsibility for residual risk.

What to do about the problem:

• Connect your message to an identified business driver or existing project, and get that in front of the audience as quickly as you can.

• Structure your business cases and reports so that the most critical information is upfront. Make certain that your key points aren't "buried." You can always include supporting information (which is especially important if you won't be presenting your points in person).

• When speaking, be succinct but not brisk. Tell your audience why they should care about the subject, and make it clear that you'll be happy to give them further details at a convenient time. Pay careful attention to how much time you spend talking versus listening. If you talk too much, you may fall in love with your own words.

Security professionals are not the only ones who have difficulty communicating effectively. Business leaders, too, struggle to articulate their concerns. (Nonetheless, it is inevitably the security professionals' responsibility to overcome this problem.) Compliance issues provide a classic example: For the business, compliance is simply a set of rules to be followed, and, if the rules are followed, the business considers itself to be compliant — for example, with Payment Card Industry (PCI) standards.

However, from a security and risk management perspective, the issue is far larger. The business recognizes that a failure in PCI compliance may result in a downgrading of the enterprise's PCI status, which could cost millions of dollars in card processing fees. The security professional recognizes that the enterprise can be PCI-compliant and still suffer a data breach, because it does not take a broad-scope approach to protecting regulated or, otherwise, sensitive data — of which, PCI is just one component. The security professional recognizes that the same processes used for PCI compliance can be used in overall data protection and governance, protecting the enterprise against financial loss, reputational damage and regulatory scrutiny — and potentially saving significant amounts of money. For all these reasons, security professionals must be prepared to ask business leaders business-oriented questions, and to receive and correctly interpret responses and questions from business leaders that may be couched in business-oriented language.

What to do about the problem:

• Know your audience. Senior managers and business unit leaders care about different issues from line managers or team leads, and business leaders will hear different messages from their peers in IT.

• Make sure you understand the major goals and initiatives of the business units. Business leaders don't expect you to be an expert in their fields, but you can't help them achieve their goals in a risk-resilient way if you don't know what the goals are.

• Recognize that this is your problem to solve. The business can't be expected to learn your language. Once you're able to get business leaders' attention and demonstrate your support of their goals, it will be easier to engage them in a dialogue in which you can work toward gaining consensus as to what the actual risks are. Create mechanisms such as data classification schemes that help nonspecialists conceptualize and rank their needs for confidentiality, integrity and availability protection.

Business leaders often struggle with the concepts around risk — they know it when they see it, but are hard-pressed to define it or explain what they fear. If business leaders cannot clearly identify and articulate their degree of willingness to accept risk, security and risk management professionals cannot be expected to put effective and appropriate security controls in place. It is extremely difficult — if not impossible — to quantify risk, and risk definitions and acceptance vary widely from industry to industry, from enterprise to enterprise, from business unit to business unit and from individual to individual. The resulting confusion can be highly damaging, and not only because it may lead to inadequate security controls for the real-world risk the enterprise faces. The opposite may also be true, with excessive controls that are extremely offensive and burdensome for the enterprise's necessary business processes. (This problem is sometimes expressed, colloquially but accurately, as "putting a $10 fence around a $5 horse.")

For this reason, one of the most important steps security and risk management professionals can take is to conduct a comprehensive assessment of not only the enterprise's risk profile, but also its current state of risk maturity. The maturity assessment process is particularly crucial, because Gartner research has shown clearly that enterprises that are more mature from an overall risk management perspective are also more effective at discussing and dealing with risk-related issues in specific domains. Improvements in risk maturity will result in improved security and risk communication, which will, in turn, result in improved risk management — helping to turn a vicious circle into a virtuous one.

What to do about the problem:

• Leverage existing models or methodologies for communication, assessment and management of risk. Numerous frameworks and methodologies are commonly accepted in enterprises. Adopting the terminology that is already used in business risk discussions will enable security leaders to focus on the message and not the nomenclature.

• Develop a lexicon of risks that includes definitions. Develop and socialize the concepts around valuation of assets, as well as impact and likelihood of risks

• Use scenarios or stories to demonstrate and personalize the impact and likelihood of risk. Complicated graphics and discussions of probabilities don't always resonate. Laying out a story of what could happen is far more interesting and is more closely related to reality.