Typically, security risks and challenges coming from your IT security team are only realized after there is an actual cyber security event. Things such as ransomware or DDoS attacks quickly become a priority for executives and place them in a responsive mode. Being proactive is sometimes difficult to quantify in the IT security world with a conversation looking like, “That can’t happen to us; it has never happened before.” With that said, the IT security team first needs to identify the problem. So much time is spent here explaining purchasing solutions, budget and potential solution’s features. The team needs to start with identifying a problem discussion with their Board and C-suite first. Once a problem has been identified, valued and understood as a business risk, then the solution to that problem should be discussed in detail.
"Once a problem has been identified, valued, and understood as a business risk, then the solution’s to that problem should be discussed in detail."
How to define your cyber security issues
Sometimes the Board and execs don’t clearly state their agenda and become a “no” organization during initial discussions. This is not uncommon since their role is to identify what time, resources and investments should be delivered within the organization. The more research and insight given to these discussions, the easier their decision becomes. Unfortunately, most of that information is not brought to the table initially and requires several requests for additional resources and data to illuminate the challenge at hand. Boards need briefings and education sessions beyond only being asked when needed for something. They are made aware of current events, economics impacts, industry news and other relevant decision-making data. The IT security team can help by educating their Board during times they are not needed for a decision. This will help give the IT security team credibility and lay the groundwork for a better relationship when needing something down the road. A great example of this would be deciding the need for a security awareness training solution for your organization. Of course, you can start by simply listing a group of vendors, pricing, features, etc. But we know that’s the wrong approach because that is simply jumping right to the solution without discussing the problem in detail. First, you must discuss the problem statement, which is focused on human risk of cyber security. Your goal would be to educate your employees, so they have an understanding of cyber security best practices and to help lower your overall organizational risk with a cultural change and basic understanding of cyber security risks. Now, imagine this conversation taking place within your organization. Your entire effort is spent on getting the board to understand the problem first rather than just finding a solution. Explaining that over 95% of all security incidents involve human error might be a great way to open this conversation up. Now, imagine talking about very specific issues your organization could face when dealing with human error. What if your HR team opened a phishing email and gave away their credentials? What if your executive lost their laptop that was unencrypted? Talking openly about these issues will start to bring to light some of the risks associated with your problem statement.
Cultural differences and communication challenges to the board
Executives are focused on the business as a whole and have a lot on their plate with trying to keep stakeholders happy – everyone is fighting for their time and priorities. As an IT security team, most of the time their priority is on security and only that. Sometimes this tunnel vision is something that discourages the team since they don’t realize why their group has the best interest of the executive team. Executive teams also need to realize they are not experts in every subject. They require an explanation of the investment being presented to them with clear evidence of how it will benefit the organization. Most organizations require a translator for this role. This role is someone that can take the technical discussion and risk-based assessment by the IT security team and translate it to “Board speak.” Simply saying security appliances and other investments are needed to protect from risks is not enough. Someone needs to literally break down exact scenarios on how this will affect your business when these threats happen. It's is not a matter of "if" but a matter of "when" an event will happen. Acknowledging that, an executive’s role in an organization is to define leadership and prioritize objectives based on risk and impact to the organization. The clear a message is on the impact of an attack and what can be done to lower the risk or prevent it, the easier the conversation will be to move forward with a solution. Often times, the only way to break up a silo discussion is to actually break the silo. In order to get someone to change their perspective, you must make them see the problem from a different angle. Imagine yourself in the shoes of the Board. They have to look at the enterprise risk and make decisions and investments for the business. As an IT security team, this can be hard to see since you are always looking out for your own investments within your group. Presenting the process from the Board's perspective and identifying enterprise business risk will open up the IT security team to a whole new appreciation for their role. On the other hand, having a Board look specifically at the IT security group can give them a great appreciation on how the team looks out to protect the organization. Although this exercise is not practiced often, have the opposite teams represent each other and their “silo” needs. The goal of the exercise is not to be a long and drawn out process. The goal is to change the perspective on how the business should approach different points of view of the risks their organization faces. With a change in perspective, priorities can be more easily understood and respected by all stakeholders and will open up a more refined discussion. If you've enjoyed reading this blog, take a look at this white paper called, Top Five Tips for Communicating Information Security to the Board.
About the Author: Nick Santora is the CEO of Curricula, a cyber security education company located in Atlanta, GA. Curricula provides cyber security awareness training and NERC CIP compliance training solutions using an innovative story based learning approach. You can follow Curricula on Twitter @Curricula or check out their website at www.GetCurricula.com Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.