Niels Zimmer Poulsen is Head of Security Engineering at Check Point Software Technologies in Denmark. As the leader of his team of Security Engineers, Niels is responsible for finding the right IT security solutions for the company’s Danish customers. Niels Zimmer Poulsen has been employed at Check Point since 2015.
In this outstanding interview, Niels Zimmer Poulsen discusses whether or not the criticality of cyber attacks has reached upper management. He also shares his top three CISO communication tips, and provides insights into how concerted effort from all parties can lead to much improved decision making.
Tell us about what you’re seeing
Let me start by saying that, yes, information security has reached the table of most companies’ upper management. And, based on the news that comes in almost everyday regarding cyber attacks and data breaches, upper management should be aware of the immediate threats and the possible consequences of attacks.
Although many are aware of the potential harm, a lot of companies still work from a more reactive approach rather than a proactive approach. Today’s ever-increasing cyber risks require businesses to use proactive decision making in cyber security capability development. Allocating resources to cyber security should be a top priority for any organization.
Do cyber security professionals and executives generally agree on cyber priorities?
No, not always. That’s why it’s so important that the appropriate assessments are made, so that they are aligned. The cyber security professionals know what is important and critical to the business and the executives know that they should support the actions put in place by the experts to mitigate risks that could affect the business.
What is upper management interested in when it comes to cyber security reporting?
Upper management should always be focused on the business, so the reporting should show how the current security level fits with current business needs. So, they might be interested in a risk-oriented, holistic, and validated view, which shows the cyber security impacts from the financial and business perspectives.
It’s important to understand that the reporting and feedback given to management has to show its value –both what value it brings with the current security measures in place and what additional cyber security would add to the overall risk level– so that they can support allocation of funds, if required.
Challenges in communicating cyber security messages to upper management?
The general perception has been that cyber security is a technical problem, an issue that should be solved by the technical IT staff. This “technical” problem has to be converted into an “organizational” problem, where the issues should be anchored at the top.
Cyber security risk needs to be considered as a significant business risk by upper management. This can be achieved by ensuring that the IT staff manages to explain that information security does not have to be complicated or a showstopper. Turn it into a positive thing, something that keeps you out of trouble by avoiding possible data theft/leakage, downtime etc. It’s simply helping the company minimize the risk of losing business.
What are your top 3 recommendations around CISO communication with execs?
- The CISO needs to understand the business and the language used. Use terms that the execs can relate to, like ROI and KPI’s.
- Make sure that the security measures are aligned with the business needs. Translate the details into a format that relates to the business risks.
- Work on relationships with people and educate them on the evolving security risks.
What else would enable executives to make better decisions?
Again, cyber security risk needs to be considered as a significant business risk by the upper management. When they understand and are informed about the criticality that lays behind the decisions, in regards to proper information security measures, they should be aware of what is required.
Also, the more they know – through internal reporting and auditing etc., the better they’ll be able to correctly appraise situations and circumstances.