Senior leadership takes cyber security seriously – they often just don’t understand it. Here’s advice on how to keep them engaged in cyber.
Cyber Security has steadily risen to a top tier priority. CISOs are regularly asked to report directly to the Board of Directors, and companies are pouring money into cyber programs. According to Cybersecurity Ventures, security budgets have increased 35X over the past 13 years. (For more on CISOs expanding roles, see our blog on the topic.)
Along with all of this growth, there has been an equal amount of confusion, frustration, and fatigue. Even with increased budgets, security teams are struggling to keep pace with growing threats. With an estimated 3.1 Billion records stolen in 2016, the rise in ransomware, and high profile hacks becoming a list of who’s who (e.g., Yahoo, DNC, CIA, OMB), the discussion has shifted from “if we get hacked” to “when we get hacked.”
Boards of Directors are starting to lose patience with cyber programs. An Osterman research survey of board members showed that 85% felt that the information from IT and security executives is too technical. Poor communications like this does the one thing that board members hate most – it increases risk. Without the proper information, senior leaders cannot make the correct investment, policy, and strategic decisions about their cyber security. This will not only impact the company, but has direct repercussions for security executives. In the Osterman survey, 59% of respondents said that one or more members of the IT security team would lose their jobs if they did not provide the board with useful or actionable information about the company’s cyber risk.
With so much riding on how you communicate with your senior leadership, you need to make sure that you are not simply reporting to them. Rather, you are informing, educating, and engaging them about how cyber risks, capabilities, and requirements impact the bottom line. Here is some guidance to help you more effectively manage your senior leadership.
Be Business Relevant
Cyber often gets a bad rap. It’s seen as an inhibitor to operations and an overhead expense. You need to reshape this perception and show how cyber security is a business imperative. The new reality is that cyber is part of almost every aspect of operations. Every connected device, from printers, to manufacturing systems, to mobile devices, to the apps you develop for customers, all have a cyber dimension. A good cyber program will help companies reduce risks, so they can move faster.
Think of it as a car. If you have great brakes, steering, and tires, you can go much faster and out-maneuver your competitors. Cyber works the same way. By reducing the risks in your operations, you gain the speed and flexibility to meet your market demands. Threats and risks are out there. Your cyber program helps you minimize and mange them to free up your operations.
Cyber has inherent brand value. This means that your customers, clients, and partners will judge you on your cyber security capabilities. How they judge you, is up to you. A good cyber program will help you establish a trusted relationship with your customers that will help brand loyalty and can be a key differentiator. In some cases, you might even be able to offer specific cyber-related services to your customers. As security threats grow, cyber will be a larger part of your market identity.
By positioning cyber in business, rather than technical, terms you will be able to better align with the priorities of other organizations and senior leaders.
Connect The Dots
You need to help your senior executives connect the dots from your cyber efforts to their strategies. This is especially important with the Board. The closer you can align what you are doing, and what you require, with the success of their strategy, the more relevant and effective you will be.
Cyber is about reducing risk. If you demonstrate how your efforts reduce risk, and in-turn help achieve their efforts, that will help. For example, take an acquisition strategy. If your company is growing through acquisition, a strong cyber security program can be incredibly helpful. If you have the right assessment processes and capability development you can help with due diligence and valuation of new acquisitions. You can also help speed up mergers while reducing the cyber risks involved with blending different systems. This same logic works for market entrance, supply chain expansion, new product development, or almost any strategic initiative.
The more you reduce risk the more value you create for the company, and its investors. Thus, the more you show how you reduce risks and remove obstacles for corporate strategic objectives, the more value you will create for your cyber program.
Be clear, concise, and compelling
Don’t talk past your executive audiences. When communications fall flat, it is because they are focused on what the sender wants to say, rather than what the receiver needs to hear. Calibrate your communications to your audience. Explain yourself in non-technical terms and avoid “buzzword bingo.” Explain acronyms. Keep your communications short. Be very clear on why you are communicating, and what you want the audience to do as a result.
Here are some other useful tips to keep in mind, when communicating with senior executives:
- Your stats are not their stats – You have a lot of metrics you use to keep your cyber operations moving. These statistics might be critical you, but they are not always compelling to other executives. Separate operational metrics from strategic ones. Strategic metrics need to show how your operations align with their strategic objectives. For example, senior executives might not find the total number of vulnerabilities identified in a monthly scan compelling (and might be confused by this statistic), but they might find it interesting that your average time to patch critical vulnerabilities went down by 20%, particularly if you previously established that as a key risk reduction metric.
- Storytelling goes a long way – Explain your operations, objectives, or requirements by using a story. People tend to retain and process information better in a storytelling format. You can use examples of how others have struggled with this, or draw from your own experiences. Don’t make these stories too long. But framing your efforts in a story can give you a compelling tool to make your effort more tangible to executive audiences.
- Reinforce core themes – Although you don’t want to be overly repetitive, you do want to reinforce key concepts and themes. Think about the 3-5 key themes you want them to remember, and work those throughout every presentation. These messages are short, such as “cyber is a business imperative,” “we must drive cyber into our brand,” or “we reduce risk for your strategic objectives.” Frame your discussions around these themes to help drive them home.
- Fear only gets you so far (and can actually hurt your cause) – Cyber professionals often push fear, uncertainty, and doubt in their efforts. This will only get you so far. It’s better to position yourself as a business asset, and critical part of strategic success. Threats are a reality, your job is to reduce, remove, and manage them so the company can be successful. Pushing fear too much will likely increase cyber fatigue.
- Drive engagement, not just awareness – Making executive aware of cyber security really isn’t enough. They need to own it. It needs to be part of their operations and their success. You need to show them how cyber is critical to their operations, what parts they own, and what they can actively do to participate. Make cyber a way they can show success in their operations. This can be everything from getting their people to use cyber best practices, to how they launch their products, to the policies they enact. The more engaged your senior executives are the more cyber becomes part of the corporate DNA.
- Take the time to educate – Cyber can be a big scary environment, especially for executives. If you take some time to educate them on key aspects of cyber, they will be more open and engaged to your messages. Talk to them about emerging threats that are relevant to them. Explain the context of a key concept, such as data protection or social engineering. Make sure you use non-technical terms and put the education in a business context. People want to know more about cyber. If you can help them, you will position yourself as a partner and guide.
- Proactively manage expectations – Make sure you are always managing expectations with your program. If you don’t make clear early in your conversations the key dependencies, timelines, costs, and the potential for unknowns, your senior executives will fill in the voids. That can put you in a tough position later.
Know what’s on their minds
Make sure you do your own due diligence to find out what is keeping your senior leadership up at night. This is especially important for the Board of Directors. If you can hit the key points they care about, you can help frame the conversation.
The Wall Street Journal conducted a study to find out some common cyber issues that are top-of-mind for Board members. You might want to address these in your next Board briefing:
- Due care – How do boards know if they’re doing a good enough job when it comes to cybersecurity oversight?
- Insider threats – What has the company done to deter, detect, and remediate insider threats?
- Third-party risk management – How is the company reducing risks with its vendors, partners, contractors, and suppliers? How is data and access managed with third parties? What are our exposures if they get hacked?
- Cyber insurance – What is covered with cyber insurance? Should the company get cyber insurance? What kind of coverage? How do we minimize premiums?
- Information sharing – How does the company share cyber information with competitors and the government? What are the privacy laws and regulations about cyber information sharing?
- Mergers and acquisitions (M&A) – How does cybersecurity factor into M&A?
- Incident response/breach notification – Who needs to be notified, and when during a cyber breach?
No cyber program is an island. Cyber leaders need the active support of senior leaders across the organization and with the Board of Directors. As the cyber environment becomes more complex, and threats becomes more diverse, clear executive communications is rapidly becoming one of the most essential elements to a successful cyber security program.