Whilst large-scale data breaches are getting more media attention than ever, it’s clear that there is still a disconnect between an organisation’s board and the realities of cyber-threats.
From the Yahoo breach to the Equifax breach, it’s becoming more and more obvious that cybersecurity is still ‘black magic’ to the board. With the introduction of legislation such as GDPR, organisations that fail to comply risk being crushed by fines, severe reputational damage and its believed by many that criminal liability may be just around the corner. So, just how can the board can get up to speed and connect with the realities of cybersecurity?
My unique perspective on the cybersecurity landscape comes from 15 years as a frontlines practitioner; I was a penetration tester or ethical hacker and incident responder. During this time, I was involved in thousands of vulnerability assessments, penetration tests, incidents, investigations, and mock scenarios. Throughout my years working within the realm of cyber, I always wondered why so many organisations, from Fortune 500 companies to smaller independently run businesses, suffered from the exact same security challenges. It wasn’t until I became an executive myself (Chief Information Security Officer) that I figured it out.
Security professionals have their own set of vernacular that is not only unique in the Information Technology world, but it is completely unique to them. They use terms like threat, vulnerability, exploit, compromise, beach head, privilege escalation, and exfiltration. These terms are used to describe in detail, the minutia of an event where accuracy and precision are tantamount to success. This is how they write because this is how they think, because this is their success criteria; very specific technical detail. This is language of the cybersecurity professional, and it’s spoken by few others outside their peers.
For years, cybersecurity professionals have tried to communicate the risks, threats, and vulnerabilities they have uncovered to their organisations or customers only to have those messages overlooked, marginalised, or altogether ignored. The reason was not that these issues were not important or even critical, the long list of data breaches illustrates just how important they were, rather they were communicated improperly using unclear language.
A very wise man once said that a common language is essential to the success of any organisation. One of the main reasons executives and boards of directors and cybersecurity professionals are failing to build robust security frameworks is because they can’t find this common ground.
If we step back from the world of cyber for a moment, one of the most basic components in communication is knowing how to effectively relay your message to your target audience. Communication is a combination of message sent and message received and breakdowns can occur in either part of the process. For years, the cybersecurity industry failed to adequately understand the importance of this critical, non-technical aspect of their jobs. They saw the lack of understanding or response from executives and boards to be the result of indifference or malaise towards cybersecurity. When in fact, it may have actually been a result of their own inability to understand their target audience and adjust their messaging to ensure that what they were sending was indeed what that was being received.
In my transition from security practitioner to executive I have witnessed first-hand these communication challenges but have identified a path forward. Like any other relationship where communication is important to success, this too can be addressed by understanding the other party’s frame of reference and using language that they can easily understand. The language spoken and understood by the board includes terms like risk appetite, brand damage, valuation, and profitability. They are focused on the overall success of the business against the backdrop of financial success as defined by their investors or shareholders. Therefore, any messages they are sent are going to be interpreted through this lens.
Cyber risks and the impact of an incident can very easily be connected to the concepts understood by boards. Large scale breaches at Equifax, Yahoo, Wonga, Three, Sports Direct, and Tesco Bank, (just to name a few) have provided examples ranging from plummeting stock prices and devaluation, protracted litigation and executive resignations. These are real world impacts that have a direct correlation to the things boards care about. Utilising this sort of vernacular in cybersecurity risk messaging will ensure that message sent, and message received are the same thing.
Suitable communication between cybersecurity professionals and boards will also lay the foundation to building that common language that is so important to success. Pentest or incident response reports that are typically mired in technical jargon should be translated by the CISO to show the direct nexus between the findings and the business impact from a board perspective. Likewise, board members should begin to see the connection between their organisation’s security posture and their brand reputation and financial positioning in the market. As each group strives to understand and speak the others language, communication between them will become easier and hence more impactful resulting in their organisations having a better security posture.
It’s not often that communication strategies and linguistic nuances are addressed when talking about cybersecurity, however, I have found it to be the missing link that will help cybersecurity professionals and boards of directors address the threats that they are collectively facing. Without question, these two groups have the best interest of their organisation in mind and by working together to identify, define, and understand a common language, they can exponentially increase their chances of success.