Cybersecurity is becoming more prominent. At least publicly. If you work within the industry, you already know how important it is to have a healthy cybersecurity posture. Your executives know that too. They just... have more to focus on.
But with that said, C-Suites around the country, heck, around the world are starting to stir on the issue and they're asking more and more questions. That's a good thing, it is. But with any cultural shift, there are difficulties.
Security7's been dealing with that for years. We're used to being asked questions. We're used to putting information into consumable, and understandable ways. That's not always the case across the board. To help curb that, Ray Scholl, Security7's Chief Information Security Officer, and Darrin Maggy, Security7's Practice manager sat down to discuss the issue.
Here are five tips for helping you talk to your C-Suite about cybersecurity:
- Tie Your Objectives Back to the Business - "Typically, executives are going to care about how something impacts their world," Maggy said. "If you're not going to talk about how your cybersecurity objective benefits the business the C-Suite isn't going to want to hear it."
Tying your objective(s) back to the business allows you to demonstrate a level of business acumen that your C-Suite will appreciate.
- Illustrate Your Points and Agenda without Using Fear - Cybersecurity attacks can be scary. It's easy to try and leverage fear when talking to decision-makers. Executives, however, don't like that. No one likes being motivated by a scary story. Sometimes, fear's already directing the decision process. Avoid using it if you can.
"A certain amount of information HAS to be relayed to these people," Maggy said.” Again, this is where business acumen comes in. You need to know your audience. You need to know what things are important to them."
Knowing what's important to your audience and hitting those marks is just as impactful, if not more so, than using cheap scares to try to make your point.
- Keep Your Briefs Brief. Brief AND Informative - "They (the executives) move on to other topics quickly. Your message needs to be very concise so that they can look over your proposal before moving on to something else," Scholl said. "You need to start the conversation in a way that you get information out quickly, succinctly and well-formatted,"
Scholl suggested focusing your information into a two-page report. "Include things like your current cybersecurity posture, itemize your risks, show things you've remediated," he said. "You can work in some other visual aides and show them what they need to see from the word go."
- Analysis Paralysis is a Real Thing. Steering Committees can Help - It's (unfortunately) not uncommon for executives to see establishing a robust and healthy cybersecurity posture as a daunting task. If you're faced with this, it can be helpful to suggest the formation of a steering committee.
"A steering committee for information security is a must," Maggy said. "You get to lay everything out on the table and get feedback from everyone involved. You're giving people an opportunity to weigh-in upfront in a forum where they can air any risks that need to be addressed or treated, talk about forthcoming capital expenditures, and the security controls that need to be put in place for the organization.
"I did something like this just the other day with a client," Maggy said. "An inaugural information security steering meeting. Upfront nobody wanted to say anything but by the end of the meeting I had been completely drowned out, and that's a good thing. There was so much discussion going on in that room. By the end of the session, my primary contact had all kinds of support, compassion, and empathy for what he was going through."
It's important that when forming this kind of steering committee you include the appropriate personnel. You. need to include executives that are responsible for critical decision-making in the organization. If done correctly, by the end of the session you should have a ball in motion, and you'll be on your way to not only corporate buy-in but a deeper level of understanding from leadership.
- Stress Security Awareness Training - An organization's cybersecurity posture is only as strong as the weakest link. If you've done the things we mentioned above now's the time to stress this point. Security awareness training is a must for an organization. It reaches from the top to the bottom.
Implementing a cybersecurity program can be a cultural change for an organization and it can be difficult to get people to follow along. If you start at the top, leadership can help you implement not only a successful cybersecurity posture but a successful security awareness training program as well.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.