How to communicate data risk to the business


Editor’s note: Joerg Fritsch is a VP analyst at Gartner focusing on data security and cloud security.

The role of data security within the enterprise has been undergoing significant change. Particularly as competitive pressures around AI and advanced analytics initiatives mount, business leaders are often leveraging data without understanding or evaluating the associated risks.

When it comes to data risk, business stakeholders often lack a sense of responsibility for security incidents and may not fully grasp the potential financial and reputational consequences. With a lack of accountability, there is no incentive to properly manage data security risks.

Security and risk management leaders have the most complete understanding of data risk in their organization, but they often find it difficult to get their points across and influence final decisions.

Repackaging information for a business audience can ensure these critical messages reach decision makers. Data risk communications must be objective, pragmatic and clearly focused on the best interests of the organization to be effective.

Security and risk leaders can follow these best practices for effective data risk communication.

Step 1: Bring the listener in

Risk communication should always follow a storyline. Prepare this storyline before the conversation, starting with a strong hook statement to catch the audience’s attention and make them want to know more.

For example, remind stakeholders about the increased need and business benefits of data sharing.

Many communications begin with people silently wondering, “Why should I care about this?” In the introduction, tell the listener why you are communicating with them. Provide them with the subject of communication, short risk headlines and outcome expectations.

Assure the listener that you understand their position by briefly describing their role, summarizing why they need to be involved, and outlining the security organization’s obligations regarding data risk management.

Then, close out your introduction with a hypothesis or thesis statement that sets the stage for the rest of your content. Repeat the risk statement, adding more high-level details about potential impact and likelihood of the risk. Make your communication objective explicitly clear.

Step 2: Earn the right to be heard

After outlining the risk and explaining the objective of the communication, summarize how the risk information being presented was collected and by whom it has been reviewed. This demonstrates to the audience that you are committed to getting the facts right and that you have engaged important stakeholders.

Outline which trustworthy and secure fact bases have been used to assess data risk. Identify who provided what information and explain how it was used to validate your data risk recommendations.

For example, you may have involved the legal counsel to get information about compliance requirements for personal data.

Give credit to internal contributors as well as any external expert data security and privacy references that were consulted. Explain who in your chain of command has reviewed the information.

Leaders could have a cover sheet signed by the chief digital and analytics officer (CDAO) for every complete and endorsed risk assessment.

Finally, make it clear to the audience what you expect to achieve through the communication. Outline the business consequences of the discussion, motivating the audience to advocate for any necessary changes to process or behavior. Be clear about accountability and responsibilities concerning data risk.

The more significant the risk, or the greater the investment or impact required by a proposed treatment plan, the broader the pre-communication must be.

Step 3: Tell the risk story

After establishing the setting and identifying the process used to validate and refine your facts, then you can actually “tell the risk story.” The risk story is the body of your risk communication.



Source link