Security metrics for business or business metrics?
At first glance, Andrew Storms dispenses good advice in How To Talk About Security With Every C-Suite Member. He emphasizes that there's not much point talking tech to execs.
"Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful."
Mmm, well, if you are indeed trying to justify investments in [IT] security tools and [IT] systems using [IT] metrics and charts concerning the IT infrastructure, then yes you are patently focused on IT. Or, as Mr Storms put it, you are "failing to contextualize your data into terms that resonate with leaders who work outside of IT", using sixteen words when three would do.
"When speaking with leaders from across the business, it’s important to remember the common goal you share: enablement. In your case, by assessing the risks your company faces, balancing them with the potential costs of a breach, and making security investments accordingly, you’re enabling every department to function and thrive on a day-to-day basis. You need to make it clear to your audience—in terms they can relate to—how your team is directly contributing to this universal goal. Rather than presenting industry-standard metrics without further explanation, contextualize your findings by showing their net value."
I welcome the business enablement angle even more than the [information] risk part but there's more to this than investing in controls to prevent 'breaches', and that final sentence jars with me. 'Rather than presenting industry-standard metrics' is a curious turn of phrase: why would anyone be presenting 'industry-standard metrics', and if so what are they? What does that even mean? It's a false dichotomy.
It gets worse ...
"Explain exactly why you’ve chosen to present this metric, and describe exactly how addressing hosts with a 5-or-higher CVSS score directly enables the whole company."
To put that another way, "Say why your geeky tech metric is on the table and point out how brilliantly it shines".
The implication is that the execs are not clever enough to understand IT security metrics, so dumb them down, speaking s l o w l y and loudly, gesticulating wildly.
The possibility of the execs having driven the selection of information security metrics to suit business objectives in the first place doesn't seem to have occurred to the author.
I would turn this whole thing on its head. Instead of 'talking about security', the discussion should instead be about the business, or rather what concerns the execs in relation to achieving the organization's business and other objectives. Instead of focusing rather negatively on [information] risks, how about turning the discussion towards something much more positive such as the business opportunities opened up by secure access to high quality information?
The point is that investing in security is not a goal in itself but a means to an end. If the end is obvious, and it is clear how information security supports or enables reaching it, investing or not investing is no longer a major issue. It's not exactly a forgone conclusion, however, because there may be other even more valuable opportunities and various constraints. It's a strategic issue, exactly the kind of thing that execs are paid to do. With this in mind, the particular metrics are incidental, almost irrelevant to a much bigger and more significant business discussion.