View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 13, 2017

Connecting the board with cybersecurity

Whilst large-scale data breaches are getting more media attention than ever, it’s clear that there is still a disconnect between an organisation’s board and the realities of cyber-threats.

By Ellie Burns

From the Yahoo breach to the Equifax breach, it’s becoming more and more obvious that cybersecurity is still ‘black magic’ to the board. With the introduction of legislation such as GDPR, organisations that fail to comply risk being crushed by fines, severe reputational damage and its believed by many that criminal liability may be just around the corner. So, just how can the board can get up to speed and connect with the realities of cybersecurity?

My unique perspective on the cybersecurity landscape comes from 15 years as a frontlines practitioner; I was a penetration tester or ethical hacker and incident responder.  During this time, I was involved in thousands of vulnerability assessments, penetration tests, incidents, investigations, and mock scenarios.  Throughout my years working within the realm of cyber, I always wondered why so many organisations, from Fortune 500 companies to smaller independently run businesses, suffered from the exact same security challenges.  It wasn’t until I became an executive myself (Chief Information Security Officer) that I figured it out.

Chris Pogue, Chief Information Security Officer, Nuix.

Chris Pogue, Head of Services, Security and Partner Integration, Nuix

Security professionals have their own set of vernacular that is not only unique in the Information Technology world, but it is completely unique to them.  They use terms like threat, vulnerability, exploit, compromise, beach head, privilege escalation, and exfiltration.  These terms are used to describe in detail, the minutia of an event where accuracy and precision are tantamount to success.  This is how they write because this is how they think, because this is their success criteria; very specific technical detail.  This is language of the cybersecurity professional, and it’s spoken by few others outside their peers.

For years, cybersecurity professionals have tried to communicate the risks, threats, and vulnerabilities they have uncovered to their organisations or customers only to have those messages overlooked, marginalised, or altogether ignored.  The reason was not that these issues were not important or even critical, the long list of data breaches illustrates just how important they were, rather they were communicated improperly using unclear language.

A very wise man once said that a common language is essential to the success of any organisation.  One of the main reasons executives and boards of directors and cybersecurity professionals are failing to build robust security frameworks is because they can’t find this common ground.

If we step back from the world of cyber for a moment, one of the most basic components in communication is knowing how to effectively relay your message to your target audience.  Communication is a combination of message sent and message received and breakdowns can occur in either part of the process.   For years, the cybersecurity industry failed to adequately understand the importance of this critical, non-technical aspect of their jobs.  They saw the lack of understanding or response from executives and boards to be the result of indifference or malaise towards cybersecurity. When in fact, it may have actually been a result of their own inability to understand their target audience and adjust their messaging to ensure that what they were sending was indeed what that was being received.

In my transition from security practitioner to executive I have witnessed first-hand these communication challenges but have identified a path forward.  Like any other relationship where communication is important to success, this too can be addressed by understanding the other party’s frame of reference and using language that they can easily understand. The language spoken and understood by the board includes terms like risk appetite, brand damage, valuation, and profitability.  They are focused on the overall success of the business against the backdrop of financial success as defined by their investors or shareholders.  Therefore, any messages they are sent are going to be interpreted through this lens.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Cyber risks and the impact of an incident can very easily be connected to the concepts understood by boards.  Large scale breaches at Equifax, Yahoo, Wonga, Three, Sports Direct, and Tesco Bank, (just to name a few) have provided examples ranging from plummeting stock prices and devaluation, protracted litigation and executive resignations.  These are real world impacts that have a direct correlation to the things boards care about.  Utilising this sort of vernacular in cybersecurity risk messaging will ensure that message sent, and message received are the same thing.

Suitable communication between cybersecurity professionals and boards will also lay the foundation to building that common language that is so important to success.  Pentest or incident response reports that are typically mired in technical jargon should be translated by the CISO to show the direct nexus between the findings and the business impact from a board perspective.  Likewise, board members should begin to see the connection between their organisation’s security posture and their brand reputation and financial positioning in the market.  As each group strives to understand and speak the others language, communication between them will become easier and hence more impactful resulting in their organisations having a better security posture.

It’s not often that communication strategies and linguistic nuances are addressed when talking about cybersecurity, however, I have found it to be the missing link that will help cybersecurity professionals and boards of directors address the threats that they are collectively facing.  Without question, these two groups have the best interest of their organisation in mind and by working together to identify, define, and understand a common language, they can exponentially increase their chances of success.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU