Security language barrier exposes business to risk

Talk to the hand because business isn't listening

A breakdown in communication between the heads of business, IT and security has left organisations at much greater risk of data breaches, according to a report presented today at the RSA Conference in London.

The report, Speaking the same language: Five key steps for the business, IT and security leaders, co-authored by PricewaterhouseCoopers (PwC) and security education outfit (ISC)2, warns of the dangers to business if IT, security and business managers fail to articulate their needs in language that all can understand.

This isn’t the usual case of IT being told off for not talking business language. The report also blames business leaders for thinking of data security as a technological problem instead of a strategic management issue, especially now that data breaches carry high reputational and legal risks.

In the report, Richard Sykes, governance risk and compliance leader at PwC, writes: “Business leaders and boards have tended to regard information security as a technology issue, but this is a complete misconception and needs to change.

“In the business’s view, the role of information security is to make its life as difficult as possible with obscure policies and complex restrictions that hinder the conduct of normal business.”

The report paints a familiar picture of business managers who regard IT as a necessary evil, IT managers who regard security as a brake on progress and security chiefs who feel undervalued, except in some sectors where appreciation for risk is built into the business model. It calls on all parties to tackle the risk of security breaches and lays out a five-point plan for successful communication.

“In some industries, such as financial services, regulatory and compliance pressures have helped information security 'sell' security to the business and get onto the business agenda. But in most sectors this remains an uphill battle,” writes Sykes.