Few business people outside IT departments have any knowledge of current information security threats, according to BH Consulting founder and chief executive Brian Honan. In many businesses, few non-IT people have heard of even big information security threats like the Heartbleed vulnerability or attacks like the one on Sony Pictures, Honan told Computer Weekly last week ahead of Info Security Europe, running 2-4 June in London.
Lack of familiarity of the continually changing threats to information security is one of the biggest challenges to raising the cyber literacy and security awareness of non-technical executives. Most people in  the business side of things see cyber security as something in the background or something that matters only for regulatory compliance. Despite the growing importance of information security to business, there is still not yet a good understanding. 
Information security professionals tend to focus only on the technical aspects using terms and concepts unknown outside IT. This means they are struggling to engage with their business colleagues. This makes information security a mysterious part of the organisation that is associated with telling people in the business that they cannot do things because of security. As a result, info security professionals are usually seen negatively by the business, which presents further challenges to improving awareness and understanding of security issues.
Honan’s advice to information security professionals is to communicate better with the business in a way that is not too technical or difficult to understand. Translating security topics into business terms and metrics helps non-technical executives to see the value and benefit in security. For example, expressing the number of spam email messages a filtering system is capable of blocking as time and cost savings. Information security professionals should also talk to the business in terms of business risks because thus is a more meaningful concept. This would make it easier to tell the business what security investments are needed to mitigate that risk or manage it at an acceptable level.