Awkward Conversations About Cybersecurity (and How to Avoid Them)

Rick Howard


Category: CSO Perspective

Happy National Cybersecurity Awareness Month! Now in its thirteenth year, this program is designed to highlight important cybersecurity considerations and teach consumers about proper cyber hygiene. It is in this spirit that I’d like to initiate a conversation about the importance of cybersecurity education at work, particularly as it relates to communication between security teams and the boardroom.

One topic that consistently comes up in my conversations with other CSOs and CISOs, no matter what industry they’re in, are the challenges involved in communicating effectively with their CEOs and boards of directors about cybersecurity issues. This isn’t to say both sides aren’t deeply invested and interested in cybersecurity; they absolutely are. The difficulty is that each has different pain points and agendas that may not be fully understood by the other, which can, at times, lead to some very awkward conversations about cybersecurity. It’s a widespread problem, as evidenced by a survey of IT professionals Palo Alto Networks recently commissioned in which a third of respondents said involving upper management in discussions about cybersecurity issues makes resolving them more complicated.

Let me give you an example: Asked by his CEO to provide a “state of the union” regarding the company’s network security, a CSO conducts a thorough inspection of the network and prepares an exhaustive report of every potential vulnerability or actual piece of malware residing on the network. In the interest of being thorough and minimizing his exposure, the CSO’s report touches on every possible vulnerability and malware on the network. He shares it with the CEO and the board, who all marvel at its thoroughness but are left clueless as to what to do with it. Why? Because the CSO hasn’t provided the information they need to make business decisions about cybersecurity. Could all of the threats listed actually have a material impact on the business? If not, which ones require immediate attention, which ones can be dealt with as time and budget allow, and which ones can be ignored?

It’s communication problems like these that make cybersecurity such a complicated issue, so I’m glad that we, as a country and an industry, reserve time to talk about it together every October. As a committed member of the cybersecurity community and designated National Cybersecurity Awareness Month Champion, Palo Alto Networks supports the efforts of the Department of Homeland Security and the National Cybersecurity Alliance to help our country, citizens and organizations take a more focused and educated approach to this issue. Because until a universal translator hits the market, it’s the best shot we have at putting forth a united front in the ongoing fight to secure our digital way of life.

 

1 Reader Comment

  1. CSO may have found it helpful to have built report with cooperation of matrices peers. For example, involving enterprise risk team (perhaps lead by Audit or Senior Legal/GC) would have prioritized each recommendation in terms of likeliness, impact, etc. – language the CEOs leadership team and the board understand.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS