Navigating the Politics of Measuring Security
Richard Absalom, Principal Research Analyst at the ISF, explores the soft skills needed to navigate boardroom politics, ensuring measurements provide clear insight that supports decisions and drives action.
One of the key recommendations from our research into Measuring Security was that measurements must provide clear insight that supports decisions and/or drives action. We outlined a measurement cycle that helps maintain communication with decision-making stakeholders, keeping their requirements up-to-date and improving the organisation’s ability to measure information risk and security performance over time (see the graphic on the right). But what happens when those decision-makers simply don’t want to hear what the data has to say? There is a moral and ethical maze to navigate, in addition to the work of actually measuring security.
Security leaders often find themselves in a precarious position when navigating boardroom politics in organisations where information risk management is not always a priority. They can’t go in all guns blazing with a fully honest account of how poorly the organisation’s security posture is – they may even be under pressure to obfuscate or omit certain details. However, presenting a watered-down version of the truth is likely to come back to bite them later when an incident occurs and questions start flying about who knew what, and when.
Antagonising people to the extent that they don’t ask for further security status reports – or simply switch off whenever a security practitioner enters the room – is counterproductive to helping the organisation manage risk. A mix of soft skills is needed to complement the message being conveyed, and there is a fine line to tread between speaking truth to power and saying just enough to have an influence.
Why presenting the full truth around security measurements can be difficult
It is often the case from a security posture perspective that the better you measure, the worse you will look. This is, of course, simply a case of changing perceptions: the level of risk remains the same as before those measurements were taken; that risk has now been exposed and it can be dealt with. However, presenting decreased performance (or previously unknown poor performance) can be a shock to the system, and communicating that change can be fraught with difficulty…