Data is created, modified, moved and deleted as part of any
number of business processes. These business processes and underlying
technologies create transformative value for their organizations. The smart
cyber leader will want to frame conversations with non-technical executives in
a way that they can quickly grasp.
A detailed explanation of NIST or other framework data security requirements probably is not the
conversation format within you’ll find success. You won’t establish your expertise with execs with a
deep dive into frameworks.
One key expectation to set with non-technical executives is
that the security team’s job isn’t to own those business processes. Individual
business process owners own the processes as well as the data. The cyber security team’s role is to take a
structured approach to lowering risk and reducing impact to that value through governing
controls, monitoring, and responding to incidents within those data processes.
One might think that data security is as easy to explain to
executives as simply identifying the risks to data and presenting those risks.
But, the executives are going to ask questions, probably very pointed questions.
If you say that your data presents a certain type of risks (regulatory,
operational, etc.), you’ll need to think through how to explain the risk to the
exec(s).
One informal and easy way to frame risks and give business context is with the old and
reliable 5 Ws – who, what, when, where, why (and how)
Who: Who has
access to key data in various parts of? Who doesn’t? Who are the key
stakeholders in the business process?
What: What are
the data requirements? What is the current state of the data controls? What is
the current prioritization? What isn’t being done? What are the gaps? What
needs to change? What additional support is required from stakeholders? What does “done” look like?
When: When were the controls last assessed? when is
the next assessment/audit? When will the team perform key work items?
Where: Where are
the controls strongest? Weakest? Where is improvement needed? Where are the entry/exit points that need to be governed for key data?
Why: Why the
current prioritization? Why are the data relevant to the risk?
How: How do we
measure ourselves? Against other organizations? How do we better apply
resources? How can we better protect data? How do/will we communicate progress?
Just the sample questions above seem like they’d stimulate a very
compelling executive conversation. There is no need to include any tool names
or jargon. The less tool discussion, the more compelling and business focused the conversation.
Compelling and easy to understand is what you’ll want.
And that’s what the execs will want too.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment