Data is created, modified, moved and deleted as part of any number of business processes. These business processes and underlying technologies create transformative value for their organizations. The smart cyber leader will want to frame conversations with non-technical executives in a way that they can quickly grasp.
A detailed explanation of NIST or other framework data security requirements probably is not the conversation format within you’ll find success. You won’t establish your expertise with execs with a deep dive into frameworks.
One key expectation to set with non-technical executives is that the security team’s job isn’t to own those business processes. Individual business process owners own the processes as well as the data. The cyber security team’s role is to take a structured approach to lowering risk and reducing impact to that value through governing controls, monitoring, and responding to incidents within those data processes.
One might think that data security is as easy to explain to executives as simply identifying the risks to data and presenting those risks. But, the executives are going to ask questions, probably very pointed questions. If you say that your data presents a certain type of risks (regulatory, operational, etc.), you’ll need to think through how to explain the risk to the exec(s).
One informal and easy way to frame risks and give business context is with the old and reliable 5 Ws – who, what, when, where, why (and how)
Who: Who has access to key data in various parts of? Who doesn’t? Who are the key stakeholders in the business process?
What: What are the data requirements? What is the current state of the data controls? What is the current prioritization? What isn’t being done? What are the gaps? What needs to change? What additional support is required from stakeholders? What does “done” look like?
When: When were the controls last assessed? when is the next assessment/audit? When will the team perform key work items?
Where: Where are the controls strongest? Weakest? Where is improvement needed? Where are the entry/exit points that need to be governed for key data?
Why: Why the current prioritization? Why are the data relevant to the risk?
How: How do we measure ourselves? Against other organizations? How do we better apply resources? How can we better protect data? How do/will we communicate progress?
Just the sample questions above seem like they’d stimulate a very compelling executive conversation. There is no need to include any tool names or jargon. The less tool discussion, the more compelling and business focused the conversation.
Compelling and easy to understand is what you’ll want.
And that’s what the execs will want too.
Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.