How to Speak Information Security to Executives: A CSO Perspective
- Dec 09, 2015
- Guest Author
According to recent research over 60 percent of survey participants stated their executives are only “somewhat” or “not at all” informed about the information security risk and threats their organizations face. In commenting on the results, I stated this lack of awareness is “astounding.”
In an age where data breaches crowd the daily headlines, lack of awareness is no longer an excuse for executives. Instead, executives must take an active interest in addressing information security as a business priority, or risk jeopardizing their business altogether.
One of the contributing factors for this lack of awareness is a communication breakdown between security leaders and other executives. I can’t tell you how many times I’ve seen executives glaze over when the conversation turns to the information security program. Executives have good intentions and the conversation starts well, but it falls apart quickly when technical and information security terminology comes into play. It’s not that executives don’t care, they simply don’t have the same point of reference as information security leaders.
Additionally, the lack of awareness at the executive level may also stem from failing to prioritize information security as a business risk. In a meeting with my previous CFO, I was discussing the risk posture of the organization. While I used metrics to convey progress and attempted to stay away from technical details, the CFO’s response remained, “That all sounds great, but I have no idea what you just told me. Just tell me this, are you going to keep us off the front page of the NY Times?”
What I learned from that conversation was, while information security is enough of a concern to warrant an executive-level conversation, many executives fail to prioritize it as a business problem requiring their active participation.
Back in 2012, General Keith Alexander(Ret.) has referred to cybersecurity breaches resulting in the loss of intellectual property as, “representing the greatest transfer of wealth in human history.”. What does this mean to CEOs? It means a breach can cost you your future through the loss of your intellectual property. In addition, a breach can damage brand reputation, harm your customers, lead to job losses, and incur high penalties. Take Target as an example. Over two years after they announced one of the biggest breaches in U.S. history, today, they are still paying banks $39 million to settle lawsuits .
All this validates the need to prioritize information security as a strategic initiative that warrants a more concerted effort at the executive-level to manage, support, and fund.
So, what can information security leaders do to better communicate risk and cyber threats to executives? It’s a common question and, candidly, there is no easy answer. While it is important to measure risk and present metrics to executives, security leaders need to do more. Security leaders need to involve executives in the process, change the information security perspective to include a business-based risk management approach, and highlight how information security can be a competitive advantage for the organization. Sounds good, but how do you do this?
One recommendation is to set up an Information Security Risk Council (ISRC). The ISRC is typically comprised of senior executives, technical leaders, and security professionals who focus on addressing information security issues as business risks. In the past, I’ve organized frequent meetings and encouraged active participation so executives and other leaders became more in tune with the risks and threats the organization faced. More importantly, involving executives in the process allows them to better support the remediation efforts and appropriately prioritize information security efforts against competing priorities.
Another challenge lies in couching information security issues as business risks. For example, almost every contract I have reviewed in the past two years has language addressing information security requirements, including vulnerability management. In building a business case for a vulnerability management program, it may be easy to think about highlighting the number of technical risks in the environment, how the program will reduce the attack surface, how asset management will be improved, etc. This approach, however, doesn’t always resonate well with executives because it doesn’t use the common language of the business.
A better approach for security leaders might be to tie the need for a vulnerability management program back to business drivers that executives understand, and use language that makes sense to them. As executives begin to see information security as a revenue generation or retention issue versus a technical risk–a top priority for most executives– they are more likely to allocate the appropriate funding for these initiatives. Other business drivers critical to executives that security leaders can consider for positioning their security initiatives may include: compliance, brand protection, corporate objectives, and competitive advantage.
A couple of years ago, I worked as a consultant to a growing insurance adjusting firm and did an information security risk assessment. They had an agreement with a national insurance carrier that required them to comply with contractual provisions regarding their information security controls. As part of their information security strategy I recommended that they go through an SSAE 16 audit to certify that they had the appropriate controls in place to meet the contractual demands. They quickly recognized that as one of the first organizations in their vertical to go through this process, this would create a competitive advantage for them. Not only would it help streamline the certification process with their existing customer, it would help them demonstrate a level of organizational maturity to other large customers, making them a better choice as a partner. The ties between information security and revenue retention and growth made conversations about complex information security issues much easier for the executives of the organization to understand and embrace.
The responsibility for executive awareness of information security risks and threats is shared between executives and information security leaders alike. Executives must be willing to learn more and dig into the details. Information security leaders must do a better job of speaking in business terms and tying information security risks to business imperatives. The collaboration between security leaders and executives will reduce the gap in awareness and improve the risk posture of many organizations.