There’s another useful article on Forbes. How to talk to the board about cybersecurity is written by an experienced CIO, John Matthews. Here are some useful excerpts with my highlights:
- For technical professionals who increasingly find themselves plucked out of technical operations centers and dropped into boardrooms, learning to speak the language of business is critically important, not just for their jobs and teams, but for the business as a whole. If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
- …while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
- In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations. But for the board, the only consideration is how these two things are supporting (or hindering) business operations.
- CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
- Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.
Let me talk for a moment about these excerpts.
- If a practitioner wants to have effective communications with leadership, he or she needs to use the language of that leadership. In most cases, that is business language. When it comes to risk management, I advise avoiding the four letter word, ‘risk’. It immediately causes a reaction by the listener that may hinder effective communication. Talking in business language about ‘what might happen’ is easier for everybody.
- It is nigh impossible to have 100% certain breach prevention. Do what makes business sense, but make sure you have measures and tools that will help you detect breaches and what hackers are doing promptly. The average detection time of 10 months is clearly unacceptable. Then have a discussion with business leaders about what might happen should there be (when there is) a breach. Invest in defenses consistent with the level of harm and how much it is reduced by such investment, and then ensure you have response processes that will minimize the damage and keep the business running.
- Discussion about cyber risk should be based on the way in which a breach might affect the business and the achievement of enterprise objectives. Please see Making Business Sense of Technology Risk, where I review existing cyber risk standards from NIST and elsewhere, and suggest a better way to assess the ‘risk’ and work with management and the board to make quality business decisions about handling it.
- Practitioners should focus on how they can help the organization succeed instead of helping them avoid failure. They need to be the department of ‘how’ instead of the department of ‘no’.
- Credibility and respect is gained (and truly earned) when practitioners can express their concerns within the context of business success. Know when it makes sense to take the risk of a breach because at some point there are better ways to spend the organization’s limited resources than on further investment in cyber. Investing money in cyber is at the cost of investing in a marketing campaign, product development, customer service, and so on.
Saying that cyber risk is ‘high’ is meaningless. Business leaders don’t know how much to invest in cyber, especially if they understand that the risk can never be eliminated and that the hackers are constantly developing new and better ways to break in.
I welcome your thoughts on the above and how practitioners can help.
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024
- The risk to an organization of technology debt or deficit - December 11, 2023