Our recent study of security professionals’ attitudes towards upcoming EU legislation – namely the General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive – highlight that many see the legislative changes as positive in both reducing incidents and changing perceptions. Whilst many expect some uncomfortable discussions with their senior management, this is an opportunity to educate business leaders – and in doing so to find a more real-world balance of expectations – as incident analysis and notification will drive greater knowledge and experience across the industry.
There are many things that will help improve communication around cybersecurity within organizations. Here are just a few top tips:
- Focus on education – Cyber education is important across the whole organisation, but it’s clear from our research that there is often a disconnect, where business leaders are expecting more change, yet many security heads are feeling their leaders are not open enough to it. Security professionals need to help educate them about the dynamic world of cyberthreats – but with context business leaders can understand. Boards typically look at risk in terms, not of what the risk is and the requirements to resolve it, but of its commercial impact and how to balance the investment in capabilities to manage the risk. As cybersecurity leaders, we recognise the dramatic speed at which the cyber world we work in is moving. To communicate this more clearly, it is down to us to consolidate this into regular, digestible updates that provide business leaders with grounded, real-world insight. What’s essential, but all too often absent, is the commercial view – “What would this mean to my business?” It’s all too easy to get caught up in what many of us see as the fascinating details, but which are rejected by business leaders as meaningless technical jargon.
- Find common ground – Often it can seem that business leaders are resistant to new ideas. All too often this can be due to an inability to quantify the business value such ideas would bring, especially if they could not assess the commercial risk to start with. There are many cybersecurity frameworks that include measures of cybersecurity. The challenge is that many are lagging indicators, and it can seem that, no matter what we do, things still happen. The challenge is to find leading metrics that show your preparedness to both identify and respond to risks, as well as to act when the unexpected does happen.
- Run regular fire drills across the business – Too many organizations don’t update, train and test their staff and leaders on cybersecurity, leaving them slow to comprehend – let alone respond to – incidents. Typically, staff members from many different parts of the business all have a role to play and, like any mixed-skilled team, they are only effective when they have been drilled regularly to work as a team through what can be a complex process on both business and technical levels. Being able to communicate across these levels is what drives a common language and goal. Going through such a process themselves can help leaders understand why there are no guarantees in IT security. A small gap in an organization’s security posture can have big implications, yet most business leaders are comfortable with accepting risks, the difference with cyber being quantifiable to an acceptable level.
- Agree on the balance of investment vs. risk – I have heard security leaders make promises that no cyber strategy can achieve, often driven by the need to make sure that the next change to their strategy gets approved. But yesterday’s good security can be tomorrow’s poor security because of the fluid nature of IT and changes in cyber risk. You must define what is acceptable – the line of risk that the business is not willing to cross. The new EU legislation helps define this line with its requirement for a level of security for networks and information systems appropriate to the risk presented. Where that risk changes, you must be able to help the business understand why, for them to accept the need to then change their investment in mitigating the risk. However, consideration should be given to the balance between protection, detection and response. The natural instinct is to invest in response as the legislation adds in a new requirement around notification. Yet to respond requires the ability to discover, and if we can discover, we are already on the journey to prevention. Typically, swifter time to discover is the core factor here, and this requires either more staff or better automation of your cyber capabilities (this, by the way, is a good leading indicator that can be proactively tested and measured). The core point is on the importance of making a conscious business decision about where and why investments are made in cyber and the long- and short-term benefits. These must be agreed with business leaders, if you expect to get their ongoing support and, critically, investment when required.
- Be honest if there are current shortcomings – Less than half of cybersecurity leaders surveyed believed that they had done everything they could have done to prevent an incident. I’m sure many would argue this was down to not getting the requirements they needed, while others may simply have felt that they could always have done more with hindsight. Interestingly some highlighted not having the time to investigate incidents. Yet the challenge is that, if we cannot live up to our own expectations, we cannot expect others to believe in our commitments. We should not accept that how things are done today should shape how they are done in the future. We must become our own biggest critics, looking for pragmatic ways in which to ensure we achieve the right balance relevant to the organization’s level of acceptable risk.
- Change is positive – Organizations are constantly looking for new and innovative ways to go to market, yet in the dynamic cybersecurity space, we strive for conformity. We all look to apply the same best practices and principles. The EU legislation is a welcome opportunity to better engage the business in the cybersecurity discussion and raise the bar. It is equally a point at which to shake up what may be outdated cybersecurity concepts and beliefs. In a cyber world that is so dynamic, this is as close to a reset – or to use the technical term, “CTRL+ ALT+DEL” – as we are likely to see, at least for the foreseeable future. As such, security leaders should leverage the legislation to redefine the principles of what cybersecurity can and should be in their business, rather than continuing to evolve decades-old, uniform concepts based on a very different IT foundation.
There is no reason to fear an attack, but there is reason to be concerned about readiness to defend against it and respond appropriately. CISOs and senior leaders can be ready to manage cybersecurity risk and prevent breaches together if the proper communication strategies are in place.
Further reading: Educate senior leaders upfront about security issues. A great, free, independent resource is the “Navigating the Digital Age” guide available on Security Roundtable.