By 2014, 80 per cent of IT security executives will be required to report risk issues to their board of directors but many presentations need improvement, according to a Gartner security analyst.
Speaking at the Gartner Security & Risk Management Summit in Sydney, Gartner US distinguished analyst Paul E. Proctor shared four tips with delegates.
According to Proctor, fear, uncertainty and doubt (FUD) have limited value for a board so IT security executives should not dwell on it.
"I see a lot of board presentations which contain 75 per cent FUD. You don't control the [security] threat but you do control the organisation's readiness and that is a great place to focus the board's attention," he said.
He also said that executives should "abstract out" security technology and avoid using technology laden pie chart slides.
According to Proctor, people should use time in front of the board to bridge the cultural disconnection. "They believe security is a technical discipline run by technical people. You need to instruct them that there is no such thing as perfect security so introduce them to the choice of spending more and lowering the risk or spending less and accepting more risk."
Finally, security professionals should relate security and risk to business impact that the board cares about.
Proctor gave an example of a European car manufacturer where an hour of IT downtime means 40 cars are not built.
"They report lost cars to their board, not IT downtime, because their board cares about cars," he said.
"The power of security and risk management can be used to influence business decision making."