How to explain security to management?
Often CSOs and CIOs can act as a buffer between upper management and security professionals. They can take the technical language used by IT people and translate it into the business concepts that CEOs understand. They can also serve as gatekeepers, making sure management learns about the important security issues. For example, sound security is often compared to insurance. Fires or floods are not common, but management has no qualms about paying for insurance to cover such disasters. Investments in smoke detectors and sprinkler systems are similar. The risk posed by a fire is so significant that companies will take steps to protect against it even if the likelihood isn’t very high. Doll suggests that CIOs and CSOs lead their CEOs through tabletop exercises that highlight the potential damage posed by certain security incidents. That way, if such an event occurs, management would know how to respond, he said. Presenting the specific technical nature of an incident is not as important a