This week's theme for National Cyber Security Awareness Month is "Cyber from the Break Room to the Board Room." Communication, like anything else worth getting better at, takes practice. Sometimes it takes planning to know what we want to say and how we want to say it. We also need to anticipate who our audience is because what is important to you, might not be as meaningful for them. This is especially true when it comes to cybersecurity and how to convey to executive management the value of securing their organization from cybercrime.
IT security and fraud teams can speak in volumes about denial of service, zero-day threats, and how many data breaches occur daily, within enterprises just like theirs. However, much like other business units, management often perceives IT as a line item in their overall budget, and sometimes, a necessary evil. They are often known as the department of "NO." As a result, there is almost always a terminal and unfortunate disconnect between when it comes to cybersecurity. There needs to be a way to bridge the communication gap between security and the C-Suite
At RSA, we refer to this disconnect as the "gap of grief" which we described in this recent post. In short, the gap of grief suggests that despite all the money organizations have invested in security, when a security incident occurs, it's often difficult for IT professionals to put security details in business context fast enough. As such, it's important to remember that you're solving a business problem. Being able to clearly explain how an appropriate level of security is relates directly to business outcomes is a skill you must acquire to effectively bridge that gap of grief.
In the world of fraud management, the ability to communicate value is somewhat easier than traditional cybersecurity as there is most often a clear ROI on the investment. For example, if we invest in this technology, we will see fraud levels drop x%. It is easily quantifiable. However, there are also many proven benefits such as an increase in transaction volume which translates to additional revenue.
Yet, not every cybersecurity tool will be able to demonstrate a perfectly robust ROI, so there remains a need to convince management of the value in protecting their organization from existential threats. There is a single over-riding word you need to keep in mind to be successful: RISK.
Our first piece of advice then: when you try and communicate with executives, develop strategies that conform to the prism (or the way they see it) of managing risk. Everything else is icing on the obligatory cake.
Try These Security Rosetta Stone Communication Tips:
What follows below are suggested paths of least resistance (e.g. scripts) to be considered next time you have to explain to executive management that securing (e.g., locking down) their organization is a reasonable business outcome.
You say this: With all of the recent password breaches, we must add more security to our consumer portals to prevent account takeover attacks...
They hear this: This level of security requires additional steps that will result in poor customer experience. This will drive away customers, transactions and sales.
Say this instead: We can reduce fraudulent transactions by x% or by x$ if we implement authentication controls for high risk transactions, especially for consumers using mobile devices. We can also confidently roll out more services and drive more revenue from that channel. We can still make it convenient and a frictionless user experience but we can also make it secure. Taking that step not only mitigates risk, but also protects our brand reputation and our customer data from being breached.
You say this: A severe cybersecurity incident is something we need to plan for; in fact, it's inevitable...
They hear this: We're a small company. We're not under any risk. Be honest: You only want the amount we initially budgeted for IT to be fully restored.
Say this instead: IT security can directly help you to avoid the costs associated with downtime, lost productivity and damage to the reputation and confidence of your business. In fact, since the cost of downtime is an industry average of $5,600 per minute or $300,000 per hour, the investment you make in securing the network now will be minuscule by comparison if we become the target of a data breach or a Distributed Denial-of-Service attack.
You say this: Employees represent a vulnerability in our security defenses, especially when it comes to things like spear phishing or downloading an unauthorized app from some third-party online store. They place themselves and our company at risk and we need to encourage employees to be smart and to leverage strong security techniques...
They hear this: If our employees spend their time looking out for threats, they're not spending time on what we're really paying them for: doing their jobs.
Say this instead: Everyone, employees included, should make information security their responsibility. And that responsibility should be clearly defined, communicated and supported with effective education and awareness. Moreover, that level of awareness should be supported by senior management, including the C-suite, and be integral to our strategic framework.
While YMMV (Your Mileage May Vary) for any of these, by acknowledging that business people think in terms of business outcomes such as risk, compliance, cost and enablement, you're more likely to succeed than not in getting them to see things your way.
And, if all else fails, one only needs to turn to the financial impacts of recent breaches to organizations with real dollars attached to it. For example, Verizon is carefully reassessed the final purchase price for an acquisition they are engaged in after the organization experienced a breach. Some reports even have suggested the hacking incident could ultimately impact the closing price of the deal by up to $1 billion. Believe me: once you put it in business-driven security terms, (e.g. market cap, company valuation, fraud reduction, so on), you're probably going to have their full attention.
Author: Angel Grant, CISSP
Category: RSA Fundamentals, RSA Point of View, Blog Post
Keywords: Business Driven Security, Consumer Security, Cybercrime and Fraud, Enterprise Security, NCSAM, Security Management