How do you communicate security risks to your stakeholders without coming across like a scare tactic?

People & LeadershipSecurity & GRCKPIs, Metrics & Reporting+2 more
336 views1 Upvote5 Comments
Director Of Technology in Education, 51 - 200 employees
I clearly state to “Respect the mountain”.

We can do everything right and still be unable to fully ascend. How do we communicate COVID-19 risks without coming across like a scare tactics? Same idea. Threats can be mitigated not necessarily neutralized.
2
Deputy Chief Engineer(Information Technology) in Energy and Utilities, 5,001 - 10,000 employees
One approach can be by highlighting real world incidents resembling the security risks faced by the organization.
To be frank, security risks are best understood when things happen to us and not before. So, it is important to make them visualize in that position (which again will appear as a scare tactic of sorts).
1
Chief Information Officer in Manufacturing, 10,001+ employees
I typically break it down to a conversational level that they can easily understand. Like using their household as an example of a potential breach, or vehicle locking mechanism. etc..  You have to be able to connect with the audience or you lose them.. Hopefully when you have to relay risk, you have already built a relationship with them to have those conversations.
1
Senior Information Security Manager in Software, 501 - 1,000 employees
Use FAIR. It is a powerful methodology and helps the CSO/CIO/CTO speak and communicate to the board and senior management in a language they understand.

 

https://www.amazon.com/gp/product/0124202314/ref=as_li_tl?ie=UTF8&tag=benrothkswebp-20&camp=1789&creative=9325&linkCode=as2&creativeASIN=0124202314&linkId=7fd85f49d934fa56b8adaec873bf290c
1
CTO in Software, 11 - 50 employees
By first communicating in a common, business oriented language that all stakeholders can understand. Then it's about proper context that security risks are not static, but elastic and it's not a binary situation of either being 'secure' or 'not secure', but rather how resilient your systems, networks, and employees are and having crisp plans of communication and remediation.
1

Content you might like

Do you currently do quantitative risk assessment?

Security & GRCRisk Management

Yes54%

No, but I plan to36%

No, and I do not plan to10%


253 PARTICIPANTS
1.9k views2 Comments

Is anyone going to any of these conferences?

Security & GRCSecurity Strategy & RoadmapPersonal Development

SANS Cyber Security Leadership NOVA10%

ENISA Cybersecurity Standardisation Conference 202343%

Gartner Security & Risk Management Summit14%

SANS Cyber Security East (Feb edition)3%

Nope30%


118 PARTICIPANTS
522 views

Follow up to my previous travel question… What is your favorite place to travel to for work and why?

Peer InsightsPeople & Leadership
Director of Systems Operations in Healthcare and Biotech, 10,001+ employees
By far the best place for me to travel was Shanghai. Loved the city and the vibe. Singapore is also an amazing place to have to be stationed for work.
2
Read More Comments
3.7k views4 Upvotes3 Comments

Have you created a vendor assessment questionnaire that is specific to consultants and integrators that only have either limited access, time-bound access that is controlled, or no access but are involved with designs, data, or exposed to sensitive information? I am looking to streamline my TPRM questionnaire for consultants and integrators.  I've used the SIG and SIG lite, and used the SIG Manager to customize the domains. Not all questions that you can ask in an assessment are equal when you take the details of access and exposure into account.  I want to have a specific set of questions to help us really assess the risk for this type of vendor. 

Security & GRC
225 views

I am increasingly having to present to our board and it’s not always the best experience. Do you have any advice on how best to approach a company board that is not technical at all?

People & Leadership
Read More Comments
109.4k views217 Upvotes119 Comments