We’ve been saying that cybersecurity is a board-level issue now for years. However, cybersecurity teams continue to struggle to get the attention that cyber risk deserves from directors and executives.
Things are getting better
Regulations from organizations such as the US Securities and Exchange Commission (SEC), the European Union (EU), and the Australian Government (amongst others) are giving boards and executives little choice but to stop pretending cyber risk is not a key material risk for any business. Which is why boards and C-level executives are now starting to at least say that they care about cybersecurity.
Of course, saying they care versus wanting to do anything about it are completely different things. According to recent research by MIT Sloane and Proofpoint, two thirds of board members believe their organization is at risk of a material cyber-attack. Despite this majority, only 23% think the risk of an attack on their organization is very likely. Which might explain why 75% felt they had made an adequate investment in cybersecurity.
The disconnect remains
Cybersecurity professionals know that in most organizations, cybersecurity is vastly underfunded when considering the likelihood and material impact of a cyber-attack. Why the disconnect?
The same MIT Sloane/Proofpoint study found data points in their study to suggest that boards and executives still perceive cybersecurity to be a purely technical discipline, not a business one.
The truth is, it’s both. This is significant in that investment tends to go towards cyber protection capabilities while ignoring everything else. But for a holistic approach to cybersecurity, it must be about resilience and business continuity.
Improve access and communications
Whether you are a board member, business, or security leader, ask yourself honestly: “What are your relationships like outside of board or business leadership meetings?”
If you are only speaking about cyber risk, security, and/or resilience during scheduled meetings that typically only happen quarterly, or monthly at best, how can you really be agile and aligned about managing cyber risk in such a dynamic environment such as technology?
Sales and marketing people get a tough time in many industry circles, but there are a lot of concepts from those functions that can apply here. From our experience, the onus to advocate for and communicate cybersecurity typically falls on cybersecurity leadership. While it might feel uncomfortable or unnecessary for some, the reality of it is, a cybersecurity leader’s job includes advocating for (i.e. selling and marketing) the cybersecurity function and appropriate management of cyber risk at the highest levels of the business.
Fine tuning cybersecurity articulation
I’m sometimes guilty of doing this too because it’s human nature to use terms you are familiar with, despite the audience that you might be trying to communicate with. Something that seems basic to someone who has been a cybersecurity professional for some time is still a completely new language for others not as well-versed.
Boards and executives usually want answers to the following.
The “Why” and “What”:
- Why do we care about cyber risk?
- What are our key assets?
- What are our cyber risks and capabilities?
- What are our goals and desired outcomes?
- What are the gaps?
The “How” and “When”:
- How are we measuring cyber?
- How are we currently doing and is it enough?
- How are we going to close our gaps?
- How do we know we are spending the right amount?
- When will we get there?
It is possible to answer those questions without using technically specific cybersecurity terminology and acronyms. Most importantly, stop using buzzwords. If you feel the need to use jargon or buzzwords, you aren’t trying hard enough.
If you’re still struggling to come up with the right articulation, ask yourself “so what”.
For example, cybersecurity teams often like to speak about the fact that a bunch of servers have not been patched for 3 months. Telling a board or business leader that fact doesn’t say much. You haven’t told them if they should be concerned, and if so, why?
So what?
Well, not doing so could result in critical systems being unavailable due to a cyber-attack resulting in the inability to process customer transactions, costing the business $1M per day.
That’s the “so what”.
Building blocks to align on cyber resilience
Align to business goals and language:
- Use the language of risk, business impact, capabilities, and outcomes.
- Technical security risks are not the same as cyber (business) risks, but they are related.
Right-size spend by aligning to outcomes:
- Manage progress against a strategic, defensible plan.
- Investment is almost always driven by regulatory requirements, risks, key industry trends, audit findings, and business/financial impacts.
- There must be logical, defensible ties between (and to) the key cyber risk metrics being tracked and reported on.
Operationalize how you monitor and report on progress:
- Make the way you do this repeatable.
- Focus on the business representation of cybersecurity and build a permanent bridge to translate cyber in a normalised way.
- Consistency is key so that boards and executives do not have to learn a new “language” every time they talk about cybersecurity with the cyber team.
For boards and executives, cybersecurity is really about managing risk. Bearing this in mind, cybersecurity teams then need to ensure they consistently answer the “why”, “what”, “how”, “when”, and “so what” questions.