Maksim Kabakou - Fotolia
Security Think Tank: Focus on business impact and likelihood of cyber attacks
How can cyber security professionals communicate effectively with the board and senior business leaders – what works and what doesn’t?
Many business leaders believe cyber security is complicated and they won’t be able to understand it. This belief can be difficult to overcome.
On one occasion, I had a senior who decided that I was a “techie” and therefore he wouldn’t be able to understand me, so he never did, even on the simplest of things. This is not a good place to start and can be difficult to get out of.
In reality, members of the board do not need to understand the underlying complexity of cyber security any more than they do when making decisions on any other complex topic, such as finance or legal. Typically, they rely on expert advisers to present the options, risks and make recommendations, either directly or through specialist board members, such as the finance director or commercial director.
Therefore, the most important thing in communicating cyber issues to business leaders is to enable them to understand the business impacts and the likelihood of potential issues.
As with any communication, when talking to business leaders, it essential to understand your audience and explain things in terms they will understand and be able to act on. Unless you are in the business of selling cyber security, then it is possible that the only times you talk to the board or other business leaders will be about a cyber risk to the business, an ongoing cyber issue, or funding for a related project.
The most important thing is to put the arguments in business terms, rather than technical terms, avoiding at all costs acronyms and detailed technical discussion, unless you are fully confident that your audience will understand you.
To do this successfully, you need to understand the business and its objectives. One approach is to take a top-down view and think about what would cause the most negative impact to the business objectives – for example, loss of revenue, profits or reputation – and identify whether and how these could be brought about by a cyber attack, or prevented by something you are proposing.
Another good starting point is finding out what the board views as the top risks to the business. You can then discuss cyber security in business terms rather than technical terms and talk about how cyber security mitigates the business impact, rather than the technical impact of a cyber attack. Achieving this requires an ongoing dialogue, so that, as a security professional, you can understand the business risks.
Regulations such as the EU’s General Data Protection Regulation (GDPR) and the NIS (network and information systems) Directive are important to consider as business risks, and should be part of any security case. However, it is important to get the message over that simply being compliant does not (in most cases) address all the cyber security related business risks. What you need to avoid is the board believing that simple compliance is all that is needed.
Business leaders are busy people, so you need to be concise and to the point, particularly in written communications. There is a reason why executive summaries are short, but this should be backed up with more detailed information that can be “dipped into”. Make it easy to find the detailed justification for any particular assertion without having to read the whole document. They won’t waste time looking, and may then question the assertion.
Read more Computer Weekly Security Think Tank articles about how infosec can communicate with the board
Board members and business leaders are generally not experts in cyber security, and neither should they be. As with other topics, they look to the experts to provide solutions and recommendations. It is therefore not sufficient just to state the problem – you also need to offer options to address the business risks that arise from it.
For those who remember Sir Humphrey Appleby from Yes Minister, he suggested offering three options: do nothing, your preferred option, and a wholly unacceptable option. While I wouldn’t necessarily suggest going with such an unacceptable option, three options is about the right number and “do nothing” should always be included. The “do nothing” option allows you to describe the impact of not acting and will probably be asked for, so it is best to be prepared.
In summary, as security professionals, we need to be able to translate cyber security issues into business risks and enablers in a way that is understandable to a business leader and provide potential solutions to support board members in making decisions. To do that, we need to understand the business strategy, its risks and the motivations of individuals.
Therefore, talking with business leaders should be a two-way dialogue, allowing the security professional to understand the business and the business leader to understand the cyber security risks to the business.