Communicating with Management about Web Security, Part 1 – Knowing What You’re Up Against

Nothing in life is more important than the ability to communicate effectively. That’s what former U.S. President Gerald Ford once said and I can’t stress enough how impactful that message can be on our web security efforts. Whether we’re trying to sell web security, make others aware of security risks, or keep people on board to support web security for the long term, everything we do when we communicate with management either helps us or hurts us.

All too often, we get our own way. We take the wrong approach. We assume management knows what we’re dealing with. We force technical information on management without thinking about the consequences. We go as far as talking down to the very people we need to be educating, motivating, and lifting up.

There was an interesting study recently, highlighting the disregard technical professionals have for those who are running the business. The State of Risk-Based Security Management, developed by the Ponemon Institute, found that 59% of IT and security professionals surveyed believe that security metrics information is too technical to be understood by non-technical management. In other words, management just doesn’t “get” the data we have access to in our work including web security vulnerability reports, risk trend reports, and so on.

When we blame our audience rather than the message we’re delivering, we fall into the same trap of ignorance that we often blame management for. This is bad for web security, bad for the business, and bad for our careers.

We typically focus our efforts on generating the most technical web security vulnerability reports we can. But what, exactly, is management going to do with a technical report full of HTTP requests and responses such as; the SQL injection findings shown in the following figure?

AWVS Developer Report Snapshot

Acunetix WVS Report

Not that there’s anything wrong with this information. We have to have it. The technical details provide everything developers need to resolve the problems, but they can leave management wondering, yet again, why any of this stuff matters to the business they’re running.

In fact, we get so caught up in our own ways of using our tools scanner that we don’t even realize that there are reporting features that can help us and our cause in so many other ways. Take, for example, the Executive Summary, Compliance Report, and Scan Comparison options in Acunetix WVS Reporter shown in the following figure:

AWVS report

Acunetix WVS Report

Acunetix WVS Report

I’ve often  been guilty of getting in, running scans, acquiring the technical details needed, and moving on. We have to break this cycle. We have so much more information at our disposal that can help us and others in the business.

Your next steps should be:

  1. Understand what management is looking for – don’t be afraid to ask them what they need.
  2. Get to know your web vulnerability reporting options and generate the report that’s proper for the audience.

In part two of this three-part blog, I’ll talk about how you can communicate specific security findings along with the best approach to take depending on the issue and the audience.

Share this post
  • You have to speak in a language that management will understand. IT directors have to turn the real security threats into something that management can sink their teeth into—if your website is hacked what does that mean for their day-to-day? They don’t think about security issues so you have to make them realize it’s not some distant issue that doesn’t affect them.

  • Leave a Reply

    Your email address will not be published.