How to Communicate About Industrial Security with Management

The effectiveness of measures to increase/guarantee industrial IT security are often not measurable for management, especially since their ROI is not always concretely recognizable. No wonder, then, that communication about the necessity of such measures between the different levels within a company is often difficult. We will show you promising strategies to implement investments in industrial security at the managerial level. 

Depending on where in a company the responsibilities and roles of IT and industrial security and lie, different communication channels, budget requests and approval processes are usually followed.  

In particular, differing perceptions quickly become apparent when it comes to the discussion about individual security. Thus, the suggestions of many responsible persons (e.g. IT management) fall on deaf ears with their superiors (management). When making decisions, the board of directors and the C-suite are faced with the challenge of reconciling the often purely technical reasoning of IT with corporate goals and risks. 

This discrepancy simply arises from the differing perspectives of the different levels. While at the board level IT security competes with many other issues for attention and resources, and is viewed primarily from an economic perspective, middle management often takes a technical approach.  

In the meantime, a negative attitude such as "security is not visible," "security offers no ROI" and "security above all only costs money" has established itself in many places.   

The fundamental question when preparing budgets for security investments is therefore how communication should look, so that both sides understand each other and, ultimately, an economically sensible decision can be made.

Change your perspective! 

Understanding and empathy for others is the basis of good communication. 

From the perspective of management, the most important thing is to make the right business decision. Their task is to optimize a company’s profit and growth, which is only possible if they are prepared to take risks. Understandably, this should result in as few losses as possible for the company.

Technical arguments for the implementation of security measures alone are not enough. 

For the manager, it is secondary if the decision taken is not to the liking of all concerned. In the worst case, a wrong decision can lead to a loss of revenue, cost jobs, and damage the corporate image in the long term. For this reason, every investment should be made with caution. Colleagues and employees expect that responsibility is taken for every decision that is made. Wrong decisions can easily lead to a loss of one's own position. It is therefore important that once a decision has been made, that it can be consistently and resolutely defended. 

For this reason, arguments "for better security" alone are not enough. 

Similarly, certification and compliance with standards are of little interest from a managerial perspective if they do not match the company’s economic objectives. It becomes more interesting, however, to use business impact and risk analyses to present a case to management as to which systems have the greatest economic impact, so that they can then be specifically allocated in the budget.

Managers think in risks

Risks are defined by the probability of occurrence and their extent or consequences. 

Risk = Probability x Impact 

In risk management, there is not only one way to deal with risks:  

• Accepting the risk (if the probability or extent is low enough).  
• Reducing the risk (by introducing protective and response measures). 
• Transfering the risk (e.g. through insurance). 

A cyber attack is just one of many risks. If the prospect of a cyber incident appears small or the effects seem negligible, then the need for security measures will be neglected or (more likely) ignored from the outset. Be prepared that there will always be someone on the company’s board of directors who will ask: "And what if no incident occurs?”

The real task is to link the consequences of a cyber incident to the risk types already applied in the prevailing risk framework. Examples of this are: 

A consideration of the business impact and a risk analysis will be of assistance as through both, one learns quite quickly what effects "business impacts" have on the individual processes and thus (from an economic point of view) which will have the greatest consequences. Only then should investments be made.

Caution: A risk analysis can very quickly become too extensive and overwhelming. It is important to define a predefined scope as is finding the right balance between a quantitative and qualitative approach, because often there is no choice but to evaluate (occurrence) probabilities subjectively.

Not recommended: getting managers to act through fear

The FUD - approach (Fear, Uncertainty and Doubt) which is still widely used in IT security. Citing stories and figures about hackers, terrorists, malware and cyberwar do not help here and in the worst case they can even be counterproductive: "If the attack possibilities are so advanced anyhow and occur in such large numbers, why should we invest even more in security if the measures will not help?”

In the eyes of the decision-makers, too much money is usually spent on security anyway, and it seems as if the costs are increasing every day. Security is first and foremost an expense rather than an income source. It is not a matter of securing the system 100%, but of being secure enough to protect the important and relevant processes.

By means of FUD you may generate the initial attention, but to really make a difference you need a good argument and a solid presentation of the relevance of security for the business.

Economic reasons for security  

The trick is to use arguments about economic relevance when approaching management. Often these are arguments that have nothing to do with security in the first place, and the security aspect is merely a by-product rather than the primary goal.

A noteworthy example is an inventory of assets. It not only provides an initial overview of the components and processes worthy of protection and, if applicable, their weaknesses. With an inventory list as a base, it is often possible to reduce stock levels, improve communication channels (e.g. between IT and technology) and develop secure operating processes.

With such an argument it is usually "easier" to convince a production or plant management. 

Emphasize that the fundamental task of IT security is to ensure the functionality of the IT systems. These in turn ensure the functionality of the company’s actual economic processes (e.g. the production of economic goods). If the IT systems of a company function, the economic processes also function.

Increasing the basic performance of the production network can provide:

Conclusion

In summary, the more you are involved with your counterpart and understand their point of view, the better you can communicate your concerns.

Bear in mind that the business context is primarily about strategic and economic goals. Here, new opportunities, growth potential and securing what you have already achieved are of interest.

But above all, a manager wants to make decisions. So, provide a decision template upon which decisions can be made and do not anticipate such decisions. 

Use terms from the "business environment," such as "risk minimization," "increasing availability," "process optimization" and "reduction of human error." Show the effects the individual security measure has on the company and its economic goals. 

"Branding" and "soft skills" are more important here than you might think! Precedents and industry-related examples are also welcome.