A communication gap between executives, board members, and security professionals is leaving security businesses vulnerable, new research suggests.
The importance of having a robust security strategy means cyber is a board-level issue, but a new study from Dynatrace found executive engagement in security is limited by a lack of understanding.
70% of C-suite executives polled by the firm said security teams often talk about security issues using overly technical language without providing a clear business context. This, the study noted, is exacerbating traditional communication gaps between board-level executives and the security function.
But this works both ways, the study noted. From the security professional’s perspective, it is difficult to translate the insights generated by security tools into digestible information.
For example, 75% of CISOs said their security tools have a limited ability to generate insights the CEO and board can use to understand business risk and prevent threats.
Dynatrace’s findings clearly show CISOs feel their fellow executives need to invest more time in understanding their security strategy, and not leave them to shoulder the entire security and compliance burden.
83% of CISOs said their board of directors and CEO need to understand their organization’s security posture better so they can assess business risk and compliance requirements
A further 77% said their boards and CEOs focus too heavily on their business’ ability to react to security incidents while disregarding proactive measures to reduce and prevent cyber risk.
CISO's need to convince C-suites on importance of security
Speaking to ITPro, Ev Kontsevoy, CEO at Teleport, said CISOs face an uphill battle trying to get their fellow executives to alter their perspective on cyber security as a business enabler, rather than simply a drain on company resources.
“Convincing any C-Suite executives that cybersecurity is a business enabler rather than a resource drain is like convincing people that vegetables should be in their diet. You want the conversation to be more about how they can maximize their chances at survival – i.e eat your broccoli”, be explained.
“That’s super important for CISOs and security professionals to understand because while plenty of CISOs, for example, might come from more technical backgrounds, the same isn’t necessarily true for your average CEO, CFO, or CIO.
“They look at the bigger picture, including cost, quality, and time to market. So, you have to understand the business side when navigating relationships with those stakeholders.”
The answer, according to Kontsevoy, is to express these concerns in terms more familiar to C-suites, in terms of profit and loss, and that taking a proactive approach to your organization's security will be a lucrative investment in the long-term.
“You have to show them in plain terms the huge expenses that have resulted from past data breaches. And if you’re trying to explain to them what causes data breaches in the first place, it’s a lot more interesting talking about how human error and social engineering, not software vulnerabilities, are the root cause of that problem, rather than delve into the technical jargon of what various cyber security tools do.”
CISOs need to get better at talking business if they want everyone to pull their weight when it comes to security
Kai Roer, CEO and co-founder of Praxis Security Labs, agreed, telling ITPro that being able to translate security risks into business risks is vital for a functional CISO-board relationship.
“The challenge for CISOs is that they tend to be trained in using technical terms to describe risks, whereas boards and c-suites are educated in using financial and business terms for risk. Furthermore, CISOs are usually focused on IT and information security risks, whereas boards and c-suites focus much more broadly.”
CISOs struggle articulating security risk because there is a widespread assumption that their audience needs to catch up with the fast paced world of cyber security, according to Roer, but this is generating material harm for businesses.
“The biggest challenge is that many CISOs, especially those with a technical background, tend to believe that everyone around them needs to adjust to the world of the CISO. This bias is causing a lot of harm because these kinds of CISOs fail to see their own responsibility in adjusting their own communication to the target audience, in this case the board of directors and the c-suites.”
Roer argued the responsibility is on the CISO to adjust their communication according to the audience to help all parties understand where they fit into an organization’s overall security strategy.
“In my opinion, CISOs must learn to speak business. This will not only help them to get more acceptance for their suggestions and their responsibilities, but it will also help them understand where they fit into the overall risk posture of their company.
“IT and information risk is but one of multiple other risks involved in running a business. By the end of the day, the CISO’s main responsibility is to make sure that risks are managed in a way that ensures there is business to be had tomorrow too.“
