At this point, the value of cyber security should be readily apparent to Board members and executive leadership. Major breaches are in the headlines on a near-daily basis. A cyber security incident could lead to serious financial costs for companies, reputational damage, and loss of consumer trust.
Nonetheless, conveying the risk to senior leadership and board members can continue to present challenges. Boards and executives are contending with cost pressures, narrow margins, digital transformations, mergers and acquisitions, along with competition for consumer mind-share and market share.
Communicating about cyber security
Research shows that the majority of people who serve on the boards of public companies, and most members of leadership teams, are not well-versed in cyber security. While Boards and executives generally see value in cyber security, and some are adding persons with such expertise, business leaders may not be entirely clear on the relationship between cyber security and the achievement of business growth objectives.
In the last few years, the number of technology focused Board members has increased. But given the momentous and pressing challenge that is cyber security, CISOs and cyber security leaders need to promote transparency, and must continue to win the hearts and minds of executive-level leaders.
Strategies for CISOs
1. Start a conversation. CISOs should engage leadership around cyber security and business needs in order to help everyone make the best decisions possible. For example, CISOs may wish to initiate a dialogue about the businesses “crown jewels” or the data, resources and physical assets that are in greatest need of security protection. If everyone agrees on this, more budget may become available, stronger security can be applied, and fewer security complications are liable to arise in the future.
CISOs can also engage executive-level persons about current security vulnerabilities, possible threats, and how both can combine to affect business functionality. In discussing how to contend with security risk, long-term strategies, returns on investments, and everyday employee-based cyber hygiene measures should be included in discussions.
This first strategy -that is starting a conversation- serves as a cornerstone for the following strategies…
2. Leverage storytelling. As a CISO, you might address the board for just a handful of minutes every quarter or every year. Make these minutes matter. Ensure that the messages are clear by incorporating concise stories into presentations. Stories can prove more effective than raw numbers and PowerPoints.
CISOs with extensive technical backgrounds should take care to build narratives at a high-level; narratives that highlight a few recent incidents, and the impact that they could or did previously have on a given business. Making connections between incidents, and everyday business functions can put things into perspective for leaders.
3. Establish a “Cyber Everywhere” mentality. As organizations’ ecosystems expand, digital footprints also expand, and leadership may wish to incorporate cyber risk mitigation within the overall business strategy. In the strategy development process, CISOs should convey that the state of organizational security also affects external organizational ecosystems, and that everyone should be prepared for a supply chain, downstream or multi-organization attack.
4. Collaboration. Share information about how your organization’s cyber security team works cross-functionally with departments and employees throughout the business. As alluded to previously, also be sure to share information about how the team partners with external groups to enhance cyber security.
5. Employ metrics. Use metrics to quantify risks, to frame the discussion in dollar terms, demonstrate security maturity and to tie information to business outcomes. A metrics-driven approach can connect dot for analytically astute executive-level leaders.
6. Ready for questions. Ensure that you and your team are prepared to answer tough cyber security questions in simple, everyday language. For example, company leaders commonly ask CISOs about the extent to which a company should invest in cyber security. The right answer to this question will be based on a combination of general benchmarks, organizational security maturity, the organization’s industry, resources, and other variables.
Similarly, on the surface, questions about ROI can be tricky to answer in a direct data-driven way – but CISOs can leverage ROI formula calculators, and the extensive research that exists on the subject.
7. Talent models. Because security teams are often inherently and unavoidably quite technical, one new and popular strategy includes recruiting professionals with impeccable business and communication skills, offering them more technical training on-the-job.
In addition, because hackers often possess little formal training, some organizations are now intentionally giving less weight to new hires’ formal education. In the event that your organization adopts these strategies, consider communicating them to the board, as to prevent future issues.
The cyber threats are evolving and the stakes are higher than ever before. Going forward, CISOs will need to ensure that the board and executives are ready to address risk and to perceive it as a strategic imperative.
For more executive-level insights, see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.