Martin Leggett, Head of Strategy and Behavioural Change at The Security Company, explains how security professionals can engage top management in their organisations.
So why exactly isn’t your board listening? Well actually, they are.
The problem is that what you are saying and what they are hearing are different things entirely. It may as well be a foreign language. It’s like speaking Vulcan at a Star Wars convention.
This isn’t news to most of you. Any CISO worth her salt will have learned long ago that she needs to become familiar with ‘board-ese’. Puzzled faces and barbed questions can be great educators. The problem, however, isn’t just in the delivery when mastering that particular eloquence. All too often, it goes a lot deeper.
Speaking the language of the board isn’t merely a matter of translation. What really counts is the content. And getting that right means grappling with some very tricky questions, running right to the core of the role of cybersecurity in the modern organisation.
So, let’s put the ‘board-ese’ phrasebook down and take a step or two back to ask some questions that get to the philosophical nub of things:
How do you prove a negative? It’s the age-old conundrum. The absence of failure shows success in security. So why do we need to invest more (or differently) when there hasn’t been a headline-grabbing breach? Surely that proves everything is fine with your cyber risk controls.
Of course, you can try to make the case by arguing about near-misses or lessons learned from peers – ‘what happened to them could happen to us’. But where’s the properly evidenced business case for your strategic cybersecurity programme, they’ll ask?
This is where the language of risk becomes all important. The board understands risk and so should you. But learn to talk about impacts in terms of probabilities and monetary value, not vague categorisations (like ‘high’, ‘medium’ and ‘low’).
That way you begin the conversation about how much potential loss – in pounds and pence – can be avoided by certain cybersecurity investments. And then you can bring in that red-blooded business metric so beloved of the board – ROI.
How can controls add value? Cybersecurity can seem to be all about the controls. To mitigate risks, you need to lock things down tighter. And more controls can cost more and might impede the business.
Of course, we already have part of the answer here. Once your risks are adequately quantified, you can justify additional costs in terms of newly avoided balance-sheet losses. So far so good. But you might be missing a trick or two.
Firstly, not all controls are created equal. Some can greatly increase security while impacting on output. No business-aware CISO will want to be pushing the curve towards impeded performance. So, make sure you can justify any new technologies or controls through positive improvements in business productivity – and then make sure you shout about it.
Secondly, try flipping perspectives on the ‘value-added’ question by reversing the premise. After all, we don’t have brakes in our cars to slow us down. In reality effective, trusted braking mechanisms give us the confidence to go faster.
And that’s what you can offer the board – the opportunity to go faster, to be more agile.
Why care about cybersecurity? After all, essentially this is an IT issue, delivering solutions through technical fixes – all too often wrapped in techno-babble. For many in your organisation, it’s something best left to the infosec team to sort out. We’ll follow the rules, they say, but the rest is up to you.
Of course, the modern CISO knows this isn’t the case at all. Security controls won’t be followed if they’re not understood. Technologies will be bypassed if the value of them isn’t comprehended. But the human factor in security extends much further than just awareness and education.
It actually cuts to the heart of the relationship between employees and the organisation they’re working for. A technically perfect cybersecurity framework will be comprehensively subverted if staff don’t believe in the underlying premise. If morale is at rock bottom and cynicism prevails, no controls will deliver or protect.
So, for cybersecurity to be truly effective it needs to build on a wider, organisational buy-in. Values must be shared and believed in at all levels. Mutual respect and trust between management and employees needs to be developed.
In essence, cybersecurity devolves into an issue of culture. The good news is that this is another value-add. Tie your cybersecurity programme to the wider benefits of cultural change, and you’re on to a winner.
Asking these sorts of questions and digging deep for answers can really help firm up your relationship with the board. They give you the confidence to answer the tricky questions that can so often be flung from those tasked with safeguarding the business.
But of course, we only have half the picture here. It is just as incumbent on the board to know where you’re coming from. The relationship shouldn’t be one-way.
In fact, we find that the board is often much keener to understand your perspective, and raise its awareness around cybersecurity, than you might think. We’ve run boardroom workshops where a spot of role reversal has melted previously tense relationships between CISO and board.
So, don’t be afraid to be bold and imaginative in your engagement with the board. Think hard about the underlying premises. And do remember to keep that board-ese phrase-book handy.
Martin Leggett is Head of Strategy and Behavioural Change at The Security Company. He leads his team in the creation and delivery of strategic programmes that transform the security culture of major organisations across the globe. Such programmes home in on the human factor in security, engaging people through the understanding and shaping of values.