'Drop the geek speak': Gartner's Paul Furtado on how to be a security success story

Soft skills are key to winning executive support

Tom Allen
clock • 5 min read
'Drop the geek speak': Gartner's Paul Furtado on how to be a security success story

Security success is about more than just blocking attacks; you need to know how to speak to the business.

When Paul Furtado, VP and analyst at Gartner, took the stage at MES Spring this year in Orlando - an event hosted by our partner, the MES IT Network - he spoke about the metrics that drive security investment.

Paul Furtado
Paul Furtado, Gartner

The problem, he said when we talked this month, is those investments are often misaligned, focusing on tools instead of protection.

null

"Vendors do a good job of telling us tools are the solution to what ails us, but it might just be governance, policies or processes. If your tools are really so poor, you've probably been breached already."

Winning executive support

It won't be a shock to anyone that to secure investment, you need to be able to present a case to the board. Soft skills come into play here.

The issue is that, for years, security has been treated as purely technical. We have a generation of CISOs who never had to talk to business leaders before being promoted. Now, they don't know how.

Here's the most important advice to follow when talking to business leaders:

  1. Avoid being too technical. "Stop talking about technology," says Paul.  "Start talking about risk and the impact on business outcomes. Some executives still see IT as a cost centre; if you want to get out of that box and be seen as more strategic, you need to change your language."
  2. Include crucial data. Avoid delving into the nuts and bolts, but you should always come to managers with data-based facts. "That makes it impossible to dispute. Then, executives have the data to make a decision."
  3. Make it digestible. "If you're going to show the board a slide, try to tell your story on one page - you never know how much time you'll have with them." 

So, let's break these down a little more.

Avoid technical talk

When executives ask about security, they're not asking about the technology you're using to protect the business. They don't - or shouldn't - get so deep into the weeds that they care about the difference between LogRhythm, Splunk and Rapid7.

Rather, the board are looking for "a level of assurance that the business has the right controls in place."

"You have to be able to talk about security posture in terms the executive team care about," says Paul. "The impact on revenue, the value of an investment, and risk vs cost."

To make this information easy to communicate, he advises ranking each business group - finance, marketing, sales, etc - based on their on their risk and value.

null

"If you want to make it a business conversation, business has to be involved in how you're measuring [risk]."

A major upside to the above approach is that it is "not an IT conversation, but a business one."

Where IT gets involved is in analysing each group's risk exposure, then plotting the cost or amount of security funding they are getting.

Support claims with data

Most companies today measure risk by looking at outcomes and probabilities. This is "more art than science," says Paul.

Instead, try to choose outcome-driven metrics based on very specific measures. For example, part of your business continuity risk can be determined by analysing your off-site compute and storage capacity.

"If that capacity is only 20%, that's a critical risk."

Presenting managers with real data makes it impossible to dispute and hard to ignore - and as a bonus, it gives business leaders the insights they need to make decisions.

"Your job is not to say 'Yes' or 'No', but to stop the board saying, 'You didn't tell me [about the risks].'"

Ultimately, all risk decisions rest with upper management, no matter how much you might wish otherwise. You have to be able to work within their level of tolerance.

"If you ask for £1 million and the board only gives you £250,000, they are making a risk acceptance decision."

Brevity is the soul of success

As a CIO (or CTO, CDO, CISO, etc), you'll have access to plenty of technical metrics. As important as they are, they don't necessarily translate well to the board.

"It's about reframing how we present information," Paul points out. "Try to tell your story on one page - you never know how much time you'll have with [the board]. But again, dress it in terms of business goals and how risks and threats will impact them. What is the risk profile? What business goals are at risk?"

For too long, IT - and especially security - have been the most maligned line of business. They cost money, they add nothing, they get in the way of important work, and worst of all, they just don't speak the same language as everyone else.

Following the steps above can help you change that perception and ensure the executive team fights in your corner.

As Paul says, "If your highest-performing sales rep comes to the CEO and demands that IT ‘takes that crap off my computer,' will they make a demand of you? Or will they explain why those policies and tools exist?"

Computing has partnered with the MES IT Leadership Network, supporting and serving the needs of IT professionals in midsize enterprise organisations by providing exclusive content, resources and networking opportunities. Click here to join the Network today, for free.

You may also like
Dutch NCSC warns of ongoing Chinese FortiGate attacks

Hacking

About 14,000 firewalls breached before Fortinet knew about the flaw

clock 14 June 2024 • 3 min read
UK and Canada launch joint probe into 23andMe data breach

Hacking

Company has pledged to cooperate with regulators

clock 12 June 2024 • 2 min read
FBI obtains 7,000 LockBit decryption keys

Hacking

Offers victims hope of free data decryption

clock 07 June 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Skills

Tech She Can launches Manifesto for Generational Change

Tech She Can launches Manifesto for Generational Change

Launch showcased an impressive community of sponsors, educators and policy makers

Penny Horwood
clock 14 June 2024 • 4 min read
UK lags behind Europe in tech skills despite government investment

UK lags behind Europe in tech skills despite government investment

In 2022, the UK was at 38th position globally

clock 13 June 2024 • 2 min read
Computing Rising Stars 30: Nominate yourself or a colleague

Computing Rising Stars 30: Nominate yourself or a colleague

John Leonard
clock 29 May 2024 • 2 min read