Many executive leaders are criticized for not caring about or understanding cybersecurity. This comes from the perception that they do not realize the true threat landscape, they are not allocating resources, and/or they are not talking about the topic on a regular basis. For many organizations, there are good reasons for this perceived behavior. For others, the challenge is real. Let’s dive into some of the contributing factors around engaging leaders in the challenge ahead of us.
Use the News.
Certainly, if anyone has seen the news, there’s not a week that goes by without some sort of media-worthy cyber event that is reported. We are all becoming desensitized to the barrage of information on cybersecurity, primarily because we all have some type of electronic device that we use today. Many people have entire households that are online! The more the news is reporting on viruses, cyber-attacks, privacy issues, etc., the more we begin to tune out the noise. It’s become the norm.
Apply that to the leaders of companies. They have priorities, issues that they must address on a daily basis. They have hired good people to ensure that they are protected from cyber-related incidents. They have probably invested in some tool or technology over the past year, many at a very high price. Imagine their surprise when every year (sometimes multiple times throughout the year) additional requests for funding/resources are requested without much of a business case? It usually takes a major privacy or security incident to get their attention.
As a security leader, you will want to stay ahead of any surprise. Certainly, the answer is having a compressive strategy, strong security program and a clear roadmap. Easier said than done. First, you need to create them, then, you need to find a solid way to present them to executives in a way that they can consume. If done well, they will understand the cybersecurity program’s maturity and realize it will need to continue to mature at the rate the threat landscape matures. Cybersecurity is not linear, it is circular. This is a key take-away.
Each company’s focus is different. Each has a different variance of risk tolerance. This too must be factored in to your message. Metrics and clear examples are required as well. Subjective messages based on opinion are much more difficult to express in a convincing manner. Consider a dashboard that can be used regularly to show progress. Again, this should be catered to your organization; however, many metrics are standard in the cyber industry today, and it’s a good idea to make use of them.
In conclusion, it’s up to you to demonstrate that you’re competent, you understand the landscape, you have a strong plan to move the company forward, and most importantly, you are showing progress. This NACD Resource Center is a great place to start. If you need more help, consider the skills of former CISO’s who can help. Looking at CISO as a Service is one way to engage experienced individuals without having to fund someone full-time.