Street cred is key. It gives you the benefit of the doubt when it comes down to how much weight your opinion carries.
For cyber security pros, swagger with the C-suite isn’t always easy but it’s vital to improving the organisation’s overall defenses. The ability to communicate risk and define needed steps to improve is critical to any business...and a CISO’s career.
How often do you hit barriers when trying to discuss cyber strategy with leadership? Have you boiled it down to things that make sense to them? Or are you speaking in bits and bytes? In most organisations, there is a major disconnect between cyber and the business. Different terminology. VERY different levels of technical understanding. Different personal drivers. The list goes on and on.
With a new data breach every week and significant resources at risk, leadership needs to understand they’re now being held accountable for the damage and likewise, security teams need to recognise - and improve - how they communicate cyber risk up the chain. The better security can report and explain to management what they need to know to make solid decisions, the better chance for an increased opportunity for real influence. And street cred for the future.
In theory, this sounds great but practically speaking, where do you start? By adding risk intelligence to your overall security program, you can communicate cyber risk outcomes to decision-makers.
American financial executive, author, and Columbia University professor Leo Tilman defines risk intelligence this way:
“The organisational ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalising on opportunities, and creating lasting value.”
Most organisations already do some form of risk intelligence under the auspices of business intelligence. Executives closely track their sales and product pipeline, regularly take the temperature of customer interactions and measure supply chain and logistic performance.
In those typical instances, there is an important dimension missing: the cyber fabric. The cyber fabric is the underlying dependency on technology that makes the wheels turn and keep a firm grip on the road. Today’s businesses are absolutely dependent on technology and when you have a flat tire or somehow lose traction with that road, the entire business goes into a skid.
Cyber risk intelligence constantly measures the cyber fabric that keeps your business units moving along the highway. It looks at your organisation’s business unit goals, the processes and tools that supports those goals, and the data the tools are processing. In other words, it gauges weather conditions for the road ahead and it monitors your vehicle to ensure you can proceed with assurance.
Put into cyber terms, cyber risk intelligence gives you situational awareness of what bad actors are active in your space, what targets those actors are looking to exploit, what effects or harm those actors are causing with their efforts and what practices and methodology those actors are using to accomplish their own goals. Overlaying this situational awareness with your cyber fabric gives you insights into whether or not your organisation is well-positioned for cyber risk. It shows you gaps that you then need to share with executives, using a common language they understand. Here are 4 tips on how to do that:
Steps to Up Your Cybersecurity Game with the Business:
1. Build cross-functional relationships and learn from them.
Your organisation is already likely reporting business intelligence to leadership - whether it’s tracking the sales pipeline, product initiatives, financials, logistics, supply chain, etc. Start having conversations and building relationships with the individuals who own those reports. They likely have already been down the road of how and what to report to the leadership team and can give you an idea of expectations without having to go through trial and error on your own.
2. Identify cyber-related barriers to business unit goals
Take the time and effort to research and understand what the goals are for each business unit within your organisation and understand potential cyber related barriers. Having a top-line view of the business can help you shape needed cyber security measures.
3. Collect, analyse and share evaluated cyber intelligence.
Evaluated cyber intelligence consists of learned risks… the things you know. Put the time in and be diligent about data collection so you can communicate things in proper context and relate them back to overall business impact.
4. Focus on risk and DO NOT get technical.
Explain cyber related threats by relating them to business goals. What are the potential threat consequences and what is the likelihood those threats will occur? Remember you’re not in an engineering meeting, you are in a business meeting and keeping that focus and delivering the right message to the right audience gives you street cred. Focus on what they care about and how cyber threats may impact them. Some topics to include:
- What threats are active that can impact their goals?
- What is the likelihood of occurrence of those threats?
- What business process could be effected?
- What are the consequences if the threat does occur?
- Have others in the industry been impacted by those threats? If so, what were the outcomes?
- Can the likelihood or consequence of a threat be reduced?
- Does the consequence impact revenue, customer or product generating activities?
- How can the threat impact the organisation's regulatory posture?
When talking security with leadership, your success lies in communicating risks to the business unit goals. By doing so you can create lasting value to the organisation. And in turn build your street cred for future discussions.
Adam Meyer is Chief Security Strategist at SurfWatch Labs Prior to joining SurfWatch Labs, he was CISO at Washington Metropolitan Transit Authority, one the largest public transportation systems in the United States and Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command.