Editor’s note: Joerg Fritsch is a VP analyst at Gartner focusing on data security and cloud security.
The role of data security within the enterprise has been undergoing significant change. Particularly as competitive pressures around AI and advanced analytics initiatives mount, business leaders are often leveraging data without understanding or evaluating the associated risks.
When it comes to data risk, business stakeholders often lack a sense of responsibility for security incidents and may not fully grasp the potential financial and reputational consequences. With a lack of accountability, there is no incentive to properly manage data security risks.
Security and risk management leaders have the most complete understanding of data risk in their organization, but they often find it difficult to get their points across and influence final decisions.
Repackaging information for a business audience can ensure these critical messages reach decision makers. Data risk communications must be objective, pragmatic and clearly focused on the best interests of the organization to be effective.
Security and risk leaders can follow these best practices for effective data risk communication.
Step 1: Bring the listener in
Risk communication should always follow a storyline. Prepare this storyline before the conversation, starting with a strong hook statement to catch the audience’s attention and make them want to know more.
For example, remind stakeholders about the increased need and business benefits of data sharing.
Many communications begin with people silently wondering, “Why should I care about this?” In the introduction, tell the listener why you are communicating with them. Provide them with the subject of communication, short risk headlines and outcome expectations.
Assure the listener that you understand their position by briefly describing their role, summarizing why they need to be involved, and outlining the security organization’s obligations regarding data risk management.
Then, close out your introduction with a hypothesis or thesis statement that sets the stage for the rest of your content. Repeat the risk statement, adding more high-level details about potential impact and likelihood of the risk. Make your communication objective explicitly clear.
Step 2: Earn the right to be heard
After outlining the risk and explaining the objective of the communication, summarize how the risk information being presented was collected and by whom it has been reviewed. This demonstrates to the audience that you are committed to getting the facts right and that you have engaged important stakeholders.
Outline which trustworthy and secure fact bases have been used to assess data risk. Identify who provided what information and explain how it was used to validate your data risk recommendations.
For example, you may have involved the legal counsel to get information about compliance requirements for personal data.
Give credit to internal contributors as well as any external expert data security and privacy references that were consulted. Explain who in your chain of command has reviewed the information.
Leaders could have a cover sheet signed by the chief digital and analytics officer (CDAO) for every complete and endorsed risk assessment.
Finally, make it clear to the audience what you expect to achieve through the communication. Outline the business consequences of the discussion, motivating the audience to advocate for any necessary changes to process or behavior. Be clear about accountability and responsibilities concerning data risk.
The more significant the risk, or the greater the investment or impact required by a proposed treatment plan, the broader the pre-communication must be.
Step 3: Tell the risk story
After establishing the setting and identifying the process used to validate and refine your facts, then you can actually “tell the risk story.” The risk story is the body of your risk communication.
Start by aligning to the specific culture of the organization. Your risk communication works best if it is adjusted to the communication style that has shown to resonate with colleagues. Consider the risk appetite/tolerance of the organization and leverage organization-specific examples to engage the audience.
Ensure the story fits the objective of the risk communication and resonates with the audience by making the messages relevant to the general, technical, management and executive levels. A clear message directly aimed at the audience will ensure future action items are understood and accepted.
A sensible storyline will engage your audience and ensure that the message lands correctly. The sequence must be coherent and meet the interests or concerns of the audience.
It is very difficult to have effective discussions about ambiguous topics. To have an effective data risk discussion, identify what the threat is, how that threat could be realized, what the consequences would be, how frequently the threat may occur and whether we can do anything about it.
For example, the following outline can provide a clear and relevant data risk storyline:
- Start with a threat agent. “We have an insider issue.”
- Describe the threat scenario or mechanism. “Sensitive business information from our data lake was discovered by law enforcement on a criminal’s storage device. There are no indicators that we have vulnerabilities; it must have been purposely leaked.”
- Outline the consequences. “We may need to involve our legal counsel to report this as a privacy breach to the US attorney general.”
- Give an estimation of frequency of occurrence. “It seems that the insider is selling sensitive data on a regular basis, as the information found covers different quarters.”
- State the risks. “If we don’t identify the source of the leak, sensitive data will be sold on a regular basis, impacting our organization’s reputation and revenue.”
- Propose a treatment plan. “Options are to intensify monitoring or to introduce data watermarking.”
Remember the seven communication basics: clear, correct, complete, concise, concrete, coherent, courteous. Always ensure your communication offers a two-way channel to allow the audience to react. Provide an opportunity for the audience to ask questions to make the subject matter tangible.
Avoid common pathways to frustration such as focusing on specific outcomes rather than the decision-making process itself.
Often, when a threat or a risk is identified, the organization will accept the current situation or take actions other than what security leadership has suggested. The security leader’s job is to make the organization aware of a particular threat or risk and communicate information effectively so that decisions can be made instead of campaigning for a particular outcome.