“Security threats” are threats in the most visceral sense of the word. With big news of attacks breaking constantly, more corporate executives are beginning to recognize that.
The problem is, there’s often a huge communications gulf between a company’s IT security team and the boardroom. The Information Security Forum’s 2016 Threat Horizon explains that more CEOs are finally agreeing to an agile, strong approach to security — and now, they expect the CISO to lay out a clear course of action in ways that intuitively make sense.
How can security divisions report to the board more effectively? One thing that doesn’t work is the use of scare tactics. Telling business leaders how damaging attacks can be (and thus, why they should invest more in specific solutions) fails to get the message across about cybersecurity’s true value and relevance to business goals.
But, as an IT professional, you know the importance of information security has to get across somehow. Thus, here are some things that do work when talking to execs.
Connect Security Protocols to Business Objectives
Business executives are concerned about attaining longevity and increasing revenues. And in your assessments and reports, those are some of the goals to which you should connect cybersecurity activities.
It’s most helpful to show how specific threats can derail a company’s growth, profitability and competitiveness. For example, intellectual property theft is rapidly on the rise — in a poll by Deloitte, 58% of corporate respondents say they expect a substantial increase in that kind of cybercrime. IP theft can expose a company’s trade secrets and customer data, which mean direct hits on revenue and customer trust.
According to that same Deloitte poll, only 16.7% of respondents limit IP access, leaving it wide open to the type of malicious actor they’re most wary of — employees. That only strengthens the case for detecting and curtailing all suspicious cyber events, from any and every source.
It can also be powerful to explain current vulnerabilities, and why it’s crucial to act on them now, not later. In cases where endpoint security issues exist, such as malware-infected laptops that have connected to the company’s network, you can explain the nature of the issue, the potential impact (without harping on a doomsday scenario), and what can be done to prevent costly incidents.
Connect the Importance of Information Security to Trust
Big data breaches can leave companies in a deep public relations hole.
In IP theft, sometimes sensitive consumer information is what’s stolen — and that can instantly, if not irreparably, tarnish a company’s brand. And the dangers run deep for consumers depending on the sector and the data assets compromised, such as the 2015 attack on the health insurance giant Anthem that exposed up to 80 million records with social security numbers and income information.
Then, regardless of how big or small the impact on customer relationships, revenues must be redirected towards cleaning up the mess and making sure it doesn’t happen again.
Therein lies the chance to define the value of information security in terms of consumer trust. According to a recent study, 75% of consumers said they would take their business elsewhere if a cyber breach was the fault of negligent execs. Particularly for growing companies in healthcare and finance, where customer data protection is paramount, cybersecurity as a safeguard to PR is an important point to make.
Clearly Explain Need for Specific Measures
Effective IT security goes far beyond compliance, and execs need to know that. They need to grasp the need for specific security measures to protect specific company assets.
Your audience might be unaware that simple antivirus solutions aren’t enough. Millions of threats emerge by the day — many which evade detection by next-generation AV, no matter how sophisticated the algorithms are.
How do you communicate the need for something more? Having a specific solution in mind — for example, identifying weak spots in a network and proactively shutting down suspicious activity on endpoints and servers, such as what SentinelOne’s Endpoint Protection Platform (EPP) does — can help. Communicate the information security approaches that are not reactive but proactive, why such approaches safeguard everything from trade secrets to employee ID and payroll info, and why they ultimately save the most money and resources.
Use Simpler Language and Visuals
You shouldn’t “dumb down” the importance of information security, but if you’re just talking in extremely technical terms, business types won’t relate. You need to meet them on their terms.
Simple language and visuals are good for supporting the story. In your reporting, charts, graphs and simple explanations can succinctly communicate things like the current maturity level of the company’s security solutions, and the level of priority given to the protection of certain assets.
Craft a Detailed Plan of Action
Leaving implementations unchanged implies that security solutions can just be “static,” running in the background while complying to industry standards…and that everything will be OK.
Clearly, that’s not the case. Corporate cybersecurity in 2016 and beyond needs to be deeply integrated and relentlessly active.
In proffering a detailed plan of action, you can provide visibility into security needs at deep levels of the corporate infrastructure. Rafal Los explains the difference between ITsec efficiency and effectiveness; having both is essential, and achieving the latter often means a company must invest in a solution’s deployment across all business units.
By explaining what needs to happen at every level, and how certain investments can reduce a given amount of expenditure within a given time frame (it’s important to be specific here) and benefit the business long-term, you can make a convincing case.
How can you really drive the point home about needed action? Again, impactful news should be a part of the conversation. Taking big events about security breaches in your company’s industry, and putting them in terms that address company goals, can help leaders see the immediate advantage of agile security systems and a deeper partnership with IT.
While challenges in communicating with company executives endure, things will improve in time. Until full integration becomes commonplace, establishing goals that make immediate sense to business leaders — and presenting crystal-clear solutions to current and predicted vulnerabilities — is the way to go.