Translating Cyber to the Business and the Business to Security teams

https://dilbert.com/strip/2019-06-27

The one constant across Chief Information Security Officers (CISOs) is that each of them have different expectations to live up to in their roles. While the role of CISO is still relatively new, companies haven’t yet embraced a consistent set of expectations for CISOs to deliver. Adding to the confusion, each CISO has different training and professional experiences that got them to their role. So, it’s easy to understand how these discrepancies could lead to misalignment and unclear messaging.

There is no clear roadmap for effective engagement or communication between security leaders and their business partners and peer executives. The way that security leaders communicate with their business partners in the boardroom and the way that business leaders engage with security increasingly suffers from unintended misunderstandings.

Being able to effectively deliver the right message, the right way, is one of the clearest ways to reduce risk and strengthen the value that cybersecurity brings to the whole organization.

Executives and CISOs need to speak BOTH cyber AND business

To illustrate a point, let’s broadly generalize the difference between cybersecurity and business professionals. Cybersecurity leaders are predominantly focused on technology tools, risks, system vulnerabilities and design interdependencies (possibly at the exclusion of business context). Business leaders are predominantly focused on operational processes and revenue growth (possibly at the exclusion of considering information risk). For each to do their job well, they NEED to tap into each other’s core strengths and focus areas.

So, how do we bridge the gap between cyber and business executives to deliver better outcomes?

Good managers are often described as being good teachers. They take the time to explain the principles to their staff. Yet, when put in a room of their peers, these same executives are less likely to invest the time to provide the relevant (and often necessary) context to benefit from the diversity of experience and expertise around the board room.

Cybersecurity is complicated, technical and requires business context to appropriately assess risk and prioritize resources. As executives, we have a responsibility to our stakeholders to get it ‘right’ and that starts with translating cybersecurity concepts and principles to our business partners, and explaining our business to our security teams. Just because we may be in a rush or dealing with a crisis doesn’t give us a pass to speak in ‘code.’

1. If you’re in the room, you belong there. If you’re sitting around the boardroom table, you have an equal responsibility to identify and correct potential communication misalignment between security and business.
2. Ask your colleague to “use more words.” Sometimes, the problem isn’t that we don’t understand, it’s that we need more context and description to see the point that is being made. This expression is an easy and non-threatening way to get additional context and information even if you don’t know specifically what to ask for.
3. Expect questions or ask questions. This is a two way street. If you’re the listener and you’re not sure that you understand, ask clarifying questions. And if you are the speaker and aren’t getting signs of active listening from your audience ask THEM questions.

For the CISO: Know how to most effectively message to your stakeholders

Security leaders have interactions with diverse stakeholders who have varying needs. Delivering all the messages to all the users without considering each of their styles or needs generally means that few, if any, of the stakeholders get what they actually need.

Engagement should be purpose-driven. The message should have a purpose that connects for each recipient. It’s equally as important to know what to message as it is to find the right time and format to deliver that message.

In security, understanding who your stakeholders are, what they need to know, and how to best get it to them is the fastest way to effective communication. The chart below is a reference and starting point.

Messaging Matrix for Cybersecurity Stakeholders

Communication effectiveness can, and should, be measured

Security teams can and should measure message effectiveness. When communications improve, you’ll notice these things:

• Leaders will ask more questions
• Partners will offer more invitations to engage and to connect
• External stakeholders such as auditors and clients will have fewer inquiries
• Employees will trigger an increase in false positives — because they are more engaged and identifying more potentially nefarious activity.

There are clear performance indicators that can be used to track effective security business engagement. These key performance indicators (KPIs) can be used in the same way that other security measures (such as Mean Time To Detect) are used to track effectiveness of controls. You can, and should, measure the effectiveness of your stakeholder engagement and messaging with real metrics. Some examples of those metrics are in the chart below.

Key Performance Indicators for Cybersecurity Messaging & Engagement

For the Business Leader: Know what information your Security Team values

Business leaders are increasingly expected to take an active role in cybersecurity and privacy decisions. You can do this easily by being a better partner to security. Know what types of information your security team needs to better detect threats and protect against them and know the best way to deliver that information. Being a good partner to security, is not just good corporate citizenship, it’s your mandate as a business leader and the expectation that clients and investors have of you.

The list below are examples of essential pieces of information that business leaders should be sharing with their security team on a regular, real-time basis.

1. Strategic business changes — When strategic changes are made to product offerings or jurisdictions of operation — the security team needs to know. When new products are being considered or potential mergers are being considered, the security team should be informed.
   In addition to delivering preventative controls, the security team also delivers detective controls. Knowing what changes are occurring to the commercial side of the business helps the security team consider different potential adversaries and criminal motivations as well as regulatory responsibilities.
2. Crown Jewel Information Assets — Security teams have many different strategies and tools that they can deploy to protect information and systems. But they need to know what the tools and information are that need the most protecting and the value that they have.
   Help your security team to deploy the best protections by spending time with them to convey what are the most critical or sensitive information assets to the company. The pieces of information that need the most protection from: unauthorized disclosure, unauthorized manipulation or unplanned outages.
3. Unusual activities — Early escalation means early response and may mean less damage. Security teams always want to know when you suspect unusual activity or observe something out of the ordinary. The sooner you can let them know, the faster they can take action and reduce the potential for more significant impact.
   Be sure to connect with your security teams to know who to contact, what information to share and how to engage when you suspect any kind of unusual activity.

Conclusion

Managing information risk and reducing the threat of cyber incidents is the responsibility of the entire executive team. One of the most effective ways that the business and security teams can partner is by delivering the right information at the right time in the right way to each other.