Mixing
How can I explain technical concepts related to business management who lack background to understand?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
5
down vote
favorite
I am an IT auditor. I am writing a report for a security review / audit that I completed of a business application used by my company. I have found weaknesses related to MITM (Man in the middle) and insecure hashing of passwords.
This application stores and processes rather sensitive information which includes Personally Identifiable Information, including but not limited to social security numbers. Obviously, given the nature of this data, security and confidentiality are crucial. Without strong encryption through TLS version 1.3, information could be disclosed and or modified in transit.
My question is, how can I explain to management this risk to business without explaining the technical details? My goal is to have management understand the risk to come to a educated decision regarding taking action on this point.
communication security
edited Jul 12 '16 at 9:50
Charmander
2,51121024
asked Jul 12 '16 at 3:19
Anthony
5,1431255
suggest improvements |Â
up vote
5
down vote
favorite
I am an IT auditor. I am writing a report for a security review / audit that I completed of a business application used by my company. I have found weaknesses related to MITM (Man in the middle) and insecure hashing of passwords.
This application stores and processes rather sensitive information which includes Personally Identifiable Information, including but not limited to social security numbers. Obviously, given the nature of this data, security and confidentiality are crucial. Without strong encryption through TLS version 1.3, information could be disclosed and or modified in transit.
My question is, how can I explain to management this risk to business without explaining the technical details? My goal is to have management understand the risk to come to a educated decision regarding taking action on this point.
communication security
edited Jul 12 '16 at 9:50
Charmander
2,51121024
asked Jul 12 '16 at 3:19
Anthony
5,1431255
1
Security.stackexchange.com would be a better fit. VTC
– paparazzo
Jul 12 '16 at 3:45
@technik Empire, I am an IT auditor and writing these reports is a part of my job duties
– Anthony
Jul 12 '16 at 11:21
5
@Paparazzi the question isn't about security, it's how to explain it.
– Richard U
Jul 12 '16 at 13:22
This question is being discussed on meta: meta.workplace.stackexchange.com/questions/3795/…
– Monica Cellio♦
Jul 13 '16 at 0:16
suggest improvements |Â
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I am an IT auditor. I am writing a report for a security review / audit that I completed of a business application used by my company. I have found weaknesses related to MITM (Man in the middle) and insecure hashing of passwords.
This application stores and processes rather sensitive information which includes Personally Identifiable Information, including but not limited to social security numbers. Obviously, given the nature of this data, security and confidentiality are crucial. Without strong encryption through TLS version 1.3, information could be disclosed and or modified in transit.
My question is, how can I explain to management this risk to business without explaining the technical details? My goal is to have management understand the risk to come to a educated decision regarding taking action on this point.
communication security
edited Jul 12 '16 at 9:50
Charmander
2,51121024
asked Jul 12 '16 at 3:19
Anthony
5,1431255
I am an IT auditor. I am writing a report for a security review / audit that I completed of a business application used by my company. I have found weaknesses related to MITM (Man in the middle) and insecure hashing of passwords.
This application stores and processes rather sensitive information which includes Personally Identifiable Information, including but not limited to social security numbers. Obviously, given the nature of this data, security and confidentiality are crucial. Without strong encryption through TLS version 1.3, information could be disclosed and or modified in transit.
My question is, how can I explain to management this risk to business without explaining the technical details? My goal is to have management understand the risk to come to a educated decision regarding taking action on this point.
communication security
edited Jul 12 '16 at 9:50
Charmander
2,51121024
asked Jul 12 '16 at 3:19
Anthony
5,1431255
edited Jul 12 '16 at 9:50
Charmander
2,51121024
edited Jul 12 '16 at 9:50
Charmander
2,51121024
edited Jul 12 '16 at 9:50
Charmander
2,51121024
2,51121024
asked Jul 12 '16 at 3:19
Anthony
5,1431255
asked Jul 12 '16 at 3:19
Anthony
5,1431255
asked Jul 12 '16 at 3:19
Anthony
5,1431255
5,1431255
1
Security.stackexchange.com would be a better fit. VTC
– paparazzo
Jul 12 '16 at 3:45
@technik Empire, I am an IT auditor and writing these reports is a part of my job duties
– Anthony
Jul 12 '16 at 11:21
5
@Paparazzi the question isn't about security, it's how to explain it.
– Richard U
Jul 12 '16 at 13:22
This question is being discussed on meta: meta.workplace.stackexchange.com/questions/3795/…
– Monica Cellio♦
Jul 13 '16 at 0:16
suggest improvements |Â
1
Security.stackexchange.com would be a better fit. VTC
– paparazzo
Jul 12 '16 at 3:45
@technik Empire, I am an IT auditor and writing these reports is a part of my job duties
– Anthony
Jul 12 '16 at 11:21
5
@Paparazzi the question isn't about security, it's how to explain it.
– Richard U
Jul 12 '16 at 13:22
This question is being discussed on meta: meta.workplace.stackexchange.com/questions/3795/…
– Monica Cellio♦
Jul 13 '16 at 0:16
1
1
Security.stackexchange.com would be a better fit. VTC
– paparazzo
Jul 12 '16 at 3:45
Security.stackexchange.com would be a better fit. VTC
– paparazzo
Jul 12 '16 at 3:45
@technik Empire, I am an IT auditor and writing these reports is a part of my job duties
– Anthony
Jul 12 '16 at 11:21
@technik Empire, I am an IT auditor and writing these reports is a part of my job duties
– Anthony
Jul 12 '16 at 11:21
5
5
@Paparazzi the question isn't about security, it's how to explain it.
– Richard U
Jul 12 '16 at 13:22
@Paparazzi the question isn't about security, it's how to explain it.
– Richard U
Jul 12 '16 at 13:22
This question is being discussed on meta: meta.workplace.stackexchange.com/questions/3795/…
– Monica Cellio♦
Jul 13 '16 at 0:16
This question is being discussed on meta: meta.workplace.stackexchange.com/questions/3795/…
– Monica Cellio♦
Jul 13 '16 at 0:16
suggest improvements |Â
4 Answers
4
active
oldest
votes
up vote
4
down vote
accepted
As this answer says, you first explain the consequences in ways relevant to the manager -- compliance, sales impact, bad publicity, ethics, or whatever applies in your case. In addition, though, you should be able to explain the technical aspects, at least at a high level, to anybody from your peer to your manager to your Uncle Ted who still uses a VCR to watch TV shows.
For example, here's how Wikipedia's page on MitM attacks begins:
In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
(Wikipedia is a good place to look for accessible explanations of specialist topics.)
Understanding that doesn't require any technical knowledge; you're explaining that there is, as the name implies, a "man" (agent) in between the user and the server he thinks he's communicating with. You can then go on to use an example to explain what happens and how the attacker gains access (as that Wikipedia page does). Start high-level and let the manager's questions guide what else you say; he probably doesn't care about the details of encryption algorithms or DNSSEC or certificate pinning, so don't lead with the technical details. (If he does care, he'll let you know.)
The reason you are having this conversation at all is probably that you need him to make a decision. Give him the tools to make that decision, be ready to provide additional information if he asks (or clearly needs it, e.g. because he's misunderstood something), but help him focus on his problem, not yours.
edited Apr 13 '17 at 12:48
Community♦
1
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
suggest improvements |Â
up vote
8
down vote
You've pretty much answered your own question here:
How can I explain to management this risk to the business
You need to phrase your report in these terms: what would happen if a third party got its hands on those SSNs? I don't know the precise answer to that, but it's a combination of "our customers lose all faith in our business" and "the regulators drop a ton of bricks on us from a great height". Both of those are clearly bad outcomes, even to a manager without any technical background.
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
suggest improvements |Â
up vote
2
down vote
I've had the pleasure of talking to people of all levels of technical competency, from high-powered techies all the way down to people who literally did not know how to turn the things on.
The best way to talk tech to a non-techie is: Don't.
Analogies are the only way to get your point across translate the effects into terms they can understand.
For example, I once was asked what the difference between PC memory and HDD memory was, and what each did. I used the analogy of a desk and a file cabinet. I told the person that if you have a big desk, you can have plenty of things on it before you need to go to the file cabinet, but when you do, you need to stop what you're working on to do it. The desk is your memory, the file cabinet is your hard drive. The more memory you have, the less often your computer has to go to the HDD, and the faster it works. It's the same as if you had to stop working and go to your file cabinet constantly.
Take a similar approach with the management. Explain that Encryption is a lock and that the data is like the contents of their house (use a family member's house for a higher impact). And just like you wouldn't want to put a cheap lock on the front door so that even an amateur could break in and steal or hurt a family member, you don't want cheap encryption (lock) that even a script kiddie could break through and hurt the company or it's customers.
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
suggest improvements |Â
up vote
0
down vote
First of all .. if you are such storing sensitive information, it is most likely that you must conform to some sort of external regulation regarding how to store that information. In such a case you can simply say to management that you don't conform, and point out the penalties for non-compliance. You shouldn't have to explain the nitty gritty to them as they are paying you to understand that part for them.
Secondly, if you aren't in a regulated industry (but it sounds like you should be) then you can't teach management technical details as after all, if they found technical details all that interesting then they wouldn't have pursued management. You only recourse then is analogy, the simpler then better.
After steps 1 and 2, if management still doesn't want to listen then you have to make a judgement call as to how you feel about working there.
answered Jul 12 '16 at 3:36
Peter M
4,01311224
1
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
suggest improvements |Â
StackExchange.ready(function ()
$("#show-editor-button input, #show-editor-button button").click(function ()
var showEditor = function()
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
;
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True')
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup(
url: '/post/self-answer-popup',
loaded: function(popup)
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
)
else
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true)
showEditor();
);
);
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
As this answer says, you first explain the consequences in ways relevant to the manager -- compliance, sales impact, bad publicity, ethics, or whatever applies in your case. In addition, though, you should be able to explain the technical aspects, at least at a high level, to anybody from your peer to your manager to your Uncle Ted who still uses a VCR to watch TV shows.
For example, here's how Wikipedia's page on MitM attacks begins:
In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
(Wikipedia is a good place to look for accessible explanations of specialist topics.)
Understanding that doesn't require any technical knowledge; you're explaining that there is, as the name implies, a "man" (agent) in between the user and the server he thinks he's communicating with. You can then go on to use an example to explain what happens and how the attacker gains access (as that Wikipedia page does). Start high-level and let the manager's questions guide what else you say; he probably doesn't care about the details of encryption algorithms or DNSSEC or certificate pinning, so don't lead with the technical details. (If he does care, he'll let you know.)
The reason you are having this conversation at all is probably that you need him to make a decision. Give him the tools to make that decision, be ready to provide additional information if he asks (or clearly needs it, e.g. because he's misunderstood something), but help him focus on his problem, not yours.
edited Apr 13 '17 at 12:48
Community♦
1
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
suggest improvements |Â
up vote
4
down vote
accepted
As this answer says, you first explain the consequences in ways relevant to the manager -- compliance, sales impact, bad publicity, ethics, or whatever applies in your case. In addition, though, you should be able to explain the technical aspects, at least at a high level, to anybody from your peer to your manager to your Uncle Ted who still uses a VCR to watch TV shows.
For example, here's how Wikipedia's page on MitM attacks begins:
In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
(Wikipedia is a good place to look for accessible explanations of specialist topics.)
Understanding that doesn't require any technical knowledge; you're explaining that there is, as the name implies, a "man" (agent) in between the user and the server he thinks he's communicating with. You can then go on to use an example to explain what happens and how the attacker gains access (as that Wikipedia page does). Start high-level and let the manager's questions guide what else you say; he probably doesn't care about the details of encryption algorithms or DNSSEC or certificate pinning, so don't lead with the technical details. (If he does care, he'll let you know.)
The reason you are having this conversation at all is probably that you need him to make a decision. Give him the tools to make that decision, be ready to provide additional information if he asks (or clearly needs it, e.g. because he's misunderstood something), but help him focus on his problem, not yours.
edited Apr 13 '17 at 12:48
Community♦
1
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
suggest improvements |Â
up vote
4
down vote
accepted
up vote
4
down vote
accepted
As this answer says, you first explain the consequences in ways relevant to the manager -- compliance, sales impact, bad publicity, ethics, or whatever applies in your case. In addition, though, you should be able to explain the technical aspects, at least at a high level, to anybody from your peer to your manager to your Uncle Ted who still uses a VCR to watch TV shows.
For example, here's how Wikipedia's page on MitM attacks begins:
In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
(Wikipedia is a good place to look for accessible explanations of specialist topics.)
Understanding that doesn't require any technical knowledge; you're explaining that there is, as the name implies, a "man" (agent) in between the user and the server he thinks he's communicating with. You can then go on to use an example to explain what happens and how the attacker gains access (as that Wikipedia page does). Start high-level and let the manager's questions guide what else you say; he probably doesn't care about the details of encryption algorithms or DNSSEC or certificate pinning, so don't lead with the technical details. (If he does care, he'll let you know.)
The reason you are having this conversation at all is probably that you need him to make a decision. Give him the tools to make that decision, be ready to provide additional information if he asks (or clearly needs it, e.g. because he's misunderstood something), but help him focus on his problem, not yours.
edited Apr 13 '17 at 12:48
Community♦
1
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
As this answer says, you first explain the consequences in ways relevant to the manager -- compliance, sales impact, bad publicity, ethics, or whatever applies in your case. In addition, though, you should be able to explain the technical aspects, at least at a high level, to anybody from your peer to your manager to your Uncle Ted who still uses a VCR to watch TV shows.
For example, here's how Wikipedia's page on MitM attacks begins:
In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
(Wikipedia is a good place to look for accessible explanations of specialist topics.)
Understanding that doesn't require any technical knowledge; you're explaining that there is, as the name implies, a "man" (agent) in between the user and the server he thinks he's communicating with. You can then go on to use an example to explain what happens and how the attacker gains access (as that Wikipedia page does). Start high-level and let the manager's questions guide what else you say; he probably doesn't care about the details of encryption algorithms or DNSSEC or certificate pinning, so don't lead with the technical details. (If he does care, he'll let you know.)
The reason you are having this conversation at all is probably that you need him to make a decision. Give him the tools to make that decision, be ready to provide additional information if he asks (or clearly needs it, e.g. because he's misunderstood something), but help him focus on his problem, not yours.
edited Apr 13 '17 at 12:48
Community♦
1
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
edited Apr 13 '17 at 12:48
Community♦
1
edited Apr 13 '17 at 12:48
Community♦
1
edited Apr 13 '17 at 12:48
Community♦
1
1
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
answered Jul 12 '16 at 15:22
Monica Cellio♦
43.6k17114191
43.6k17114191
suggest improvements |Â
suggest improvements |Â
up vote
8
down vote
You've pretty much answered your own question here:
How can I explain to management this risk to the business
You need to phrase your report in these terms: what would happen if a third party got its hands on those SSNs? I don't know the precise answer to that, but it's a combination of "our customers lose all faith in our business" and "the regulators drop a ton of bricks on us from a great height". Both of those are clearly bad outcomes, even to a manager without any technical background.
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
suggest improvements |Â
up vote
8
down vote
You've pretty much answered your own question here:
How can I explain to management this risk to the business
You need to phrase your report in these terms: what would happen if a third party got its hands on those SSNs? I don't know the precise answer to that, but it's a combination of "our customers lose all faith in our business" and "the regulators drop a ton of bricks on us from a great height". Both of those are clearly bad outcomes, even to a manager without any technical background.
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
suggest improvements |Â
up vote
8
down vote
up vote
8
down vote
You've pretty much answered your own question here:
How can I explain to management this risk to the business
You need to phrase your report in these terms: what would happen if a third party got its hands on those SSNs? I don't know the precise answer to that, but it's a combination of "our customers lose all faith in our business" and "the regulators drop a ton of bricks on us from a great height". Both of those are clearly bad outcomes, even to a manager without any technical background.
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
You've pretty much answered your own question here:
How can I explain to management this risk to the business
You need to phrase your report in these terms: what would happen if a third party got its hands on those SSNs? I don't know the precise answer to that, but it's a combination of "our customers lose all faith in our business" and "the regulators drop a ton of bricks on us from a great height". Both of those are clearly bad outcomes, even to a manager without any technical background.
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
answered Jul 12 '16 at 5:05
Philip Kendall
40.7k27105135
40.7k27105135
suggest improvements |Â
suggest improvements |Â
up vote
2
down vote
I've had the pleasure of talking to people of all levels of technical competency, from high-powered techies all the way down to people who literally did not know how to turn the things on.
The best way to talk tech to a non-techie is: Don't.
Analogies are the only way to get your point across translate the effects into terms they can understand.
For example, I once was asked what the difference between PC memory and HDD memory was, and what each did. I used the analogy of a desk and a file cabinet. I told the person that if you have a big desk, you can have plenty of things on it before you need to go to the file cabinet, but when you do, you need to stop what you're working on to do it. The desk is your memory, the file cabinet is your hard drive. The more memory you have, the less often your computer has to go to the HDD, and the faster it works. It's the same as if you had to stop working and go to your file cabinet constantly.
Take a similar approach with the management. Explain that Encryption is a lock and that the data is like the contents of their house (use a family member's house for a higher impact). And just like you wouldn't want to put a cheap lock on the front door so that even an amateur could break in and steal or hurt a family member, you don't want cheap encryption (lock) that even a script kiddie could break through and hurt the company or it's customers.
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
suggest improvements |Â
up vote
2
down vote
I've had the pleasure of talking to people of all levels of technical competency, from high-powered techies all the way down to people who literally did not know how to turn the things on.
The best way to talk tech to a non-techie is: Don't.
Analogies are the only way to get your point across translate the effects into terms they can understand.
For example, I once was asked what the difference between PC memory and HDD memory was, and what each did. I used the analogy of a desk and a file cabinet. I told the person that if you have a big desk, you can have plenty of things on it before you need to go to the file cabinet, but when you do, you need to stop what you're working on to do it. The desk is your memory, the file cabinet is your hard drive. The more memory you have, the less often your computer has to go to the HDD, and the faster it works. It's the same as if you had to stop working and go to your file cabinet constantly.
Take a similar approach with the management. Explain that Encryption is a lock and that the data is like the contents of their house (use a family member's house for a higher impact). And just like you wouldn't want to put a cheap lock on the front door so that even an amateur could break in and steal or hurt a family member, you don't want cheap encryption (lock) that even a script kiddie could break through and hurt the company or it's customers.
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
suggest improvements |Â
up vote
2
down vote
up vote
2
down vote
I've had the pleasure of talking to people of all levels of technical competency, from high-powered techies all the way down to people who literally did not know how to turn the things on.
The best way to talk tech to a non-techie is: Don't.
Analogies are the only way to get your point across translate the effects into terms they can understand.
For example, I once was asked what the difference between PC memory and HDD memory was, and what each did. I used the analogy of a desk and a file cabinet. I told the person that if you have a big desk, you can have plenty of things on it before you need to go to the file cabinet, but when you do, you need to stop what you're working on to do it. The desk is your memory, the file cabinet is your hard drive. The more memory you have, the less often your computer has to go to the HDD, and the faster it works. It's the same as if you had to stop working and go to your file cabinet constantly.
Take a similar approach with the management. Explain that Encryption is a lock and that the data is like the contents of their house (use a family member's house for a higher impact). And just like you wouldn't want to put a cheap lock on the front door so that even an amateur could break in and steal or hurt a family member, you don't want cheap encryption (lock) that even a script kiddie could break through and hurt the company or it's customers.
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
I've had the pleasure of talking to people of all levels of technical competency, from high-powered techies all the way down to people who literally did not know how to turn the things on.
The best way to talk tech to a non-techie is: Don't.
Analogies are the only way to get your point across translate the effects into terms they can understand.
For example, I once was asked what the difference between PC memory and HDD memory was, and what each did. I used the analogy of a desk and a file cabinet. I told the person that if you have a big desk, you can have plenty of things on it before you need to go to the file cabinet, but when you do, you need to stop what you're working on to do it. The desk is your memory, the file cabinet is your hard drive. The more memory you have, the less often your computer has to go to the HDD, and the faster it works. It's the same as if you had to stop working and go to your file cabinet constantly.
Take a similar approach with the management. Explain that Encryption is a lock and that the data is like the contents of their house (use a family member's house for a higher impact). And just like you wouldn't want to put a cheap lock on the front door so that even an amateur could break in and steal or hurt a family member, you don't want cheap encryption (lock) that even a script kiddie could break through and hurt the company or it's customers.
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
answered Jul 12 '16 at 12:33
Richard U
77.2k56200307
77.2k56200307
suggest improvements |Â
suggest improvements |Â
up vote
0
down vote
First of all .. if you are such storing sensitive information, it is most likely that you must conform to some sort of external regulation regarding how to store that information. In such a case you can simply say to management that you don't conform, and point out the penalties for non-compliance. You shouldn't have to explain the nitty gritty to them as they are paying you to understand that part for them.
Secondly, if you aren't in a regulated industry (but it sounds like you should be) then you can't teach management technical details as after all, if they found technical details all that interesting then they wouldn't have pursued management. You only recourse then is analogy, the simpler then better.
After steps 1 and 2, if management still doesn't want to listen then you have to make a judgement call as to how you feel about working there.
answered Jul 12 '16 at 3:36
Peter M
4,01311224
1
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
suggest improvements |Â
up vote
0
down vote
First of all .. if you are such storing sensitive information, it is most likely that you must conform to some sort of external regulation regarding how to store that information. In such a case you can simply say to management that you don't conform, and point out the penalties for non-compliance. You shouldn't have to explain the nitty gritty to them as they are paying you to understand that part for them.
Secondly, if you aren't in a regulated industry (but it sounds like you should be) then you can't teach management technical details as after all, if they found technical details all that interesting then they wouldn't have pursued management. You only recourse then is analogy, the simpler then better.
After steps 1 and 2, if management still doesn't want to listen then you have to make a judgement call as to how you feel about working there.
answered Jul 12 '16 at 3:36
Peter M
4,01311224
1
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
suggest improvements |Â
up vote
0
down vote
up vote
0
down vote
First of all .. if you are such storing sensitive information, it is most likely that you must conform to some sort of external regulation regarding how to store that information. In such a case you can simply say to management that you don't conform, and point out the penalties for non-compliance. You shouldn't have to explain the nitty gritty to them as they are paying you to understand that part for them.
Secondly, if you aren't in a regulated industry (but it sounds like you should be) then you can't teach management technical details as after all, if they found technical details all that interesting then they wouldn't have pursued management. You only recourse then is analogy, the simpler then better.
After steps 1 and 2, if management still doesn't want to listen then you have to make a judgement call as to how you feel about working there.
answered Jul 12 '16 at 3:36
Peter M
4,01311224
First of all .. if you are such storing sensitive information, it is most likely that you must conform to some sort of external regulation regarding how to store that information. In such a case you can simply say to management that you don't conform, and point out the penalties for non-compliance. You shouldn't have to explain the nitty gritty to them as they are paying you to understand that part for them.
Secondly, if you aren't in a regulated industry (but it sounds like you should be) then you can't teach management technical details as after all, if they found technical details all that interesting then they wouldn't have pursued management. You only recourse then is analogy, the simpler then better.
After steps 1 and 2, if management still doesn't want to listen then you have to make a judgement call as to how you feel about working there.
answered Jul 12 '16 at 3:36
Peter M
4,01311224
answered Jul 12 '16 at 3:36
Peter M
4,01311224
answered Jul 12 '16 at 3:36
Peter M
4,01311224
answered Jul 12 '16 at 3:36
Peter M
4,01311224
4,01311224
1
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
suggest improvements |Â
1
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
1
1
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
Downvoting for "if they find technical details all that interesting then they wouldn't have persued management". There's nothing that means managers can't be interested in technical stuff: maybe they're just better at management than tech.
– Philip Kendall
Jul 12 '16 at 4:55
suggest improvements |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f71162%2fhow-can-i-explain-technical-concepts-related-to-business-management-who-lack-bac%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Security.stackexchange.com would be a better fit. VTC
– paparazzo
Jul 12 '16 at 3:45
@technik Empire, I am an IT auditor and writing these reports is a part of my job duties
– Anthony
Jul 12 '16 at 11:21
5
@Paparazzi the question isn't about security, it's how to explain it.
– Richard U
Jul 12 '16 at 13:22
This question is being discussed on meta: meta.workplace.stackexchange.com/questions/3795/…
– Monica Cellio♦
Jul 13 '16 at 0:16