Do you find that CISOs find difficulty communicating business issues with top leadership?
"If you explain this as a technical issue you will get the attention that a purely technical issue might deserve.”
Professor Marco Gercke, the founder of the CyberCrime Research Institute, talks to Jeremy Swinfen Green about how to make the Board sit up and take notice of cyber risks.
Do you find that CSOs sometimes have problems in communicating these instances with top leadership?
Well it's always, depending on how you do it. When you solely approaching this from a technical level and try to explain to people this is a technical issue, I think you will get the attention that a purely technical issue might deserve. However, if you're showing that this can be threatening to a whole company, and we've seen companies disappear because of cyber attacks, we can see that this can really threaten the core of the company. And that it is not only a minor technical thing that the computer systems might not work for a day or two but this can have severe impact and can ruin companies.
And I guess you will easily get the attention if you're making your case, if you're making a strong case by saying, OK, I'm going to show you what happened to competitors. It's this threat intelligence that is sometimes not there. What I would say it's fair to say is that companies do not like to talk about cyber attacks, so you will not necessarily know what happened to other companies that you can use as a theme and can show this happened to this our competitor. Let's do something.
Sometimes this information did not used to be out there. We're seeing that there are more and more sharing of this kind of information right now, so it makes it a little bit easier for those people want to pitch the topic, but my suggestion would be try to make the case that this is not an isolated technical problem, and you want to have some funding for technical solutions, but say we need a holistic approach that involves the board and then I think you will get the buy in. Especially we're realising that after going through those simulations that usually they the champion afterwards. They want to be the ambassador for this topic because they're realising it's so big and it affects them and therefore they want to take a proper response there.