How do you react to that statement? Do you panic, do you get a fire extinguisher, do you do nothing? Without context, there is no way to know how to, or if you should react. If the fire is in the middle of the living room, then you need to put it out, if it’s in the fireplace, then that’s expected.

I often use this example when explaining contextualization and the need for Information Security professionals to provide that context. I’ve been in meetings where an information security professional will make a statement to general executive management. When executive management doesn’t respond the way the security practitioner wants them to, the Information security practitioners walk away thinking management doesn’t “get it.”

What they don’t “get” is the context behind the statement. In the previous example, if you say the fire is in the fireplace, then that’s a good thing, is expected, and warrants no action other than enjoying it. On the other hand, if it’s in the middle of the room, then immediate action is required to put it out and contain the damage. The same example works when reporting security risks. If you say “there were 2,000 failed access attempts to system ABC123,” you don’t give enough context to make a decision. Were the failed access attempts over two years and 4,000 different people only during password change events, or was it over two hours over two accounts? These two situations require different responses, but far too often, when talking about security risks, information security practitioners will omit the context.

The bottom line, when sharing security risks or any types of risks within an organization, ensure you include the story or context behind the information so that everyone can make fully informed decisions.

The opinions in this article or that I post are my own and do not necessarily represent the opinions of my employer.