We were fortunate to have Andrew Plato of Anitian host the UMSA WebTracks webinar this month. The subject was communicating risk to executive leadership, and his message was simple: sum it up for leaders.
TechRepublic is predicting that 2015 is going to be the “year of the CIO.” This is an opportunity that CIOs and all IT professionals need to use to their advantage; after the security disaster that was 2014, leadership is looking to IT professionals to make 2015 a better year. Leadership is listening, but we still need to speak their language so they understand.
Tips for communicating risk to leadership
“Language not only affects comprehension, but also acceptance.”
Plato spent over an hour with us, and our WebTracks attendees, talking about how to communicate with leadership in a way they will understand; executive leaders are not dumb, but they do think and work in a different way than IT professionals. In order to get executive buy-in for your ideas, you need to speak to them in their own language.
Here are a few tips Plato shared:
- Risk is an overused, misunderstood word. Use these 6 terms correctly: threat, vulnerability, impact, probability, control and risk.
- Make information security and risk management more accurate, relevant, actionable and timely for leaders.
- When reporting probability, it needs to be bound by time. Anything can happen in enough time.
- Use words, not numbers. Words communicate better.
- Stop saying “maybe we need this…” Leaders will write that off. Be decisive.
- Don’t try to sound “official” and important. Nobody cares. Leaders want condensed, understandable information.
- Develop an action plan for leadership. Be specific and make it tangible. No vague hopes.
- Take the top 10 most serious threats and simplify them for leadership. No one will handle more than 10 threats at once.