To maintain the security and integrity of your digital assets and company information, communication is key to addressing cyberattack risks and vulnerabilities. Read on for our top 10 ideas about communicating security information to your executive team, stakeholders and board members.
Chief Information Security Officers (CISO’s) and Communicating Risk to Business Leaders
Chief Information Security Officers (CISO’s) face challenges when speaking with business owners, executives and board of directors due to various factors, including differences in perspective, language, and the understanding of priorities. Effective communication is essential to define the goals and objectives for the cybersecurity program and working together to achieve those goals. The efforts of continuous cybersecurity functions necessary for risk management are part of a journey that can be aimless and unsuccessful in contributing to meaningful progress if not aligned and integrated within the operations of the business.
One of the primary reasons a relationship will fail is when expectations go unmet. For the CISO to help lead efforts of the cybersecurity program in a manner that will meet the expectations of the organization, those expectations must be communicated and understood. Communication is not only sending a message, but is sending messages back-and-forth that are received, understood, confirmed, and responded to in a timely manner.
Top 10 helpful ideas for CISO’s and other business leaders to use in their communications about cybersecurity.
Communicating Information Security Risk
1. Prepare Your Message: State what you want to communicate as clearly and simply as possible up front. Whether it’s a security or data breach concern, a proposal for implementing a new security program, or a request for resources, make sure your message is well-organized and concise. Be especially clear about the purpose of the communication.
Examples of communication starters to your c-suite:
- I am providing an update for your awareness.
- I am raising a concern that we need a decision on.
- I am making a request for something specific to address a risk or concern.
CISO’s must avoid presenting technical solutions before understanding the needs of the business. At times a walking tour to visit with key stakeholders one-on-one prior to a group meeting can be very effective to gain input, guidance and support for proposals. These visits bring stakeholders into the process, engaging other leaders as peers and colleagues to build trust and relationships, and can be extremely helpful in preparing not only the message but the audience for complex topics and challenging situations.
2. Define Technical Terminology: Cybersecurity has no shortage of technical terminology, acronyms, and jargon that may not be familiar to business owners and executives. At times we communicate past each other using unclear words, concepts and ‘Techspeak’. A message masked in ‘Techspeak’ and jargon will often lead to business owners tuning out the CISO and missing the key points that they are trying to communicate. CISO’s must translate technical details into business terms that convey the potential impact of cybersecurity risks or cyber threats and the value of security investments. Communication with top-level business operations needs to be crisp and clear as time is usually limited. Use the time wisely and avoid technical terms, with defined acronyms, and speak plainly in the language of the business wherever possible.
3. Close Communication Gaps: Cybersecurity professionals may struggle to translate technical details into business impact. They need to bridge the gap between technical weaknesses and the potential financial, reputational, and operational consequences. Learning what is most important to the business and how cybersecurity relates to those objectives is important to close any gaps in communication associated with cybersecurity risks.
4. Clarify Cybersecurity Challenges: Cybersecurity is a difficult field with rapidly evolving threats and technologies. Explaining these complexities in a way that is easily understandable to non-technical stakeholders can be challenging. When communicating cybersecurity information, focus on the risks that are most relevant to the organization’s strategic goals and how resources are currently applied to managing those risks, what shortages exist, and timelines of progress towards necessary maturity increases needed This is not a recommendation to whine about not having what you need it is an opportunity to develop a strategy and business case for addressing the business risks in terms of likelihood and potential for loss.
5. Define Metrics: Cybersecurity often lacks clear and universally accepted metrics for measuring security effectiveness. This makes it challenging to communicate the return on investment (ROI) of cybersecurity initiatives to business leaders like your CIO or other c-level roles. Too often CISO’s do not present quantifiable data that enables informed decision-makers to act. These metrics are not elusive and can be assembled when some simple guidelines are followed:
- Define the goals, objectives and outcomes of the security program in relation to business risks.
- Assess performance and track progress towards the goals.
- Capture data associated with the activities and resources applied towards the goals.
- Estimate and scope what additional resources are needed.
Cybersecurity metrics do not need to be elusive and can be connected to business goals.
6. Manage Resource Allocation: Cybersecurity professionals often advocate for increased resources and funds in security measures. Business owners may see these requests as additional costs rather than investments in risk mitigation. Business leaders need to move beyond the idea that cybersecurity is just a cost-center. Using the metrics associated with cybersecurity program objectives that connect to goals, outcomes, and business risks.as the categories of work efforts, track the time used and time needed to then project when the objectives will be met. These timelines can then see adjustments based on changes to resource allocations. If the cybersecurity program is on track to be a 20-year plan, it will be somewhat easy to make a case that it needs to progress at a faster pace and what it will take to do so.
7. Risk Tolerance: Business leaders will have a different risk tolerance than cybersecurity professionals. They may be willing to accept certain risks to achieve business goals, while cybersecurity professionals aim to minimize risks as much as possible. CISOs that are concerned with technical issues often have a difficult time putting them in terms of costs and business risks. Putting cybersecurity risks in the perspective and terms of business outcomes or potential losses will help align decisions and needs but will require getting into the weeds of what activities will contribute to which risks. Spend the time getting to the bottom of the technical issues and relationship to the potential enterprise risk and threats. Explain how these issues relate to the company’s goals and the potential risks or benefits. These efforts will be one part providing education one part learning more about the business strategies. Use this teaching and learning process as an opportunity to develop relationships with business peers.
8. Provide Context: If you’re discussing a specific security incident, such as hackers or ransomware attack, provide context of the threat(s). Explain what happened, why it’s important, and what security controls and actions have been taken or are needed to address the incident. A case study or relevant story describing an example of a competitor or parallel industry scenario is infinitely more effective in conveying your message than an overload of metrics and Techspeak, so make sure to use combinations of this information wisely. Make sure the plot of your story doesn’t get lost in too much detail and remember that time is limited.
9. Use Context to Create Awareness: Some business leaders may not fully understand the range of cybersecurity threats and may underrate the risks their business faces. This lack of awareness can hinder effective communication from the security team. Capitalize on the misfortunes of others by making the connection to incidents that have affected other organizations, draw the connection to your organization’s cybersecurity program, and if there is an ask to make be prepared to make it. Likewise, be prepared for questions that may be raised to your security leaders and seek ways to connect these questions to previous discussions where possible.
10. Stay Informed and Follow-up: The field of cybersecurity is constantly evolving. Stay informed about current security trends and issues in the threat landscape to have more meaningful conversations. After your conversation, send a follow-up email summarizing the key points discussed and any action items. This helps ensure everyone is on the same page and accountable for the next steps.
To summarize effective communication between cybersecurity professionals and business owners
Effective communication between cybersecurity professionals and business owners is necessary for making informed decisions that balance security obligations with the organization’s strategic goals and risk tolerance. Developing strong communication bridges is a continuing effort that can help create a more cyber-resilient organization.
Utilizing a vCISO through GDT for your cybersecurity communication efforts
GDT’s Virtual Chief Information Security Officer (vCISO) can help move the cybersecurity communications in your organization to a more strategic level. Advancing cybersecurity capabilities and maturity levels is loaded with many complex decisions. For many organizations, especially smaller ones that may not have the resources or need for a full-time, in-house CISO, the GDT vCISO offering provides expertise, flexibility scalability, and the necessary specialized skills needed today.