Leo este artículo CISO/CSO Security- Talking Security with Executive Management, referido a como los responsables de Seguridad Informática deben tratar estos temas con los cuadros directivos, me llama la atención el cometario referido a Understanding de Target audience:
Executive management differs from just about every other group within an organization. Though they are all individuals they still often share many of the same characteristics. The first of these is that they are usually skeptical. They will often cross check every statement and number in an attempt to ensure the integrity of what is presented. This is due to the fact that the information they see is commonly used in making future decisions; driving a need to ensure its validity. Another factor that breeds skepticism is that executive management is often the center of corporate politics
No puedo estar más de acuerdo, nuestros problemas surgen de la incapacidad que tenemos de comunicarnos correctamente y en especial en administración de riesgo.
Como receta expone al final una serie de reglas muy interesantes que voy a tratar de hacer mías cuando tenga que llevar a la Seguridad Informática ante el Management:
Rule #1 Speak in their language, not yours.
Rule #2 All materials should be as “absolute” as possible; meaning that it should be very difficult to attribute a political motive to the information.
Rule #3 Base the conversation on Risk Management. If they wish to change the conversation to one of finance, keep raising the issue of risk.Rule #4 If you have to present technical information, present it in the form of an analogy. That will act as a translator so that everyone can understand the conversation.