When I first started working in technology, I focused on ‘just making it work’. I picked up small tasks, diagnosed challenges, and learned resilience. Through this self-directed learning, I realized that if I truly wanted effective solutions, I needed to include senior leadership in my decision-making process. I needed to embed functional and non-functional requirements and develop an understanding of expected events (including threats). I then needed to align these events with resource restrictions regarding financial assets, available team members, and hardware/software. Essentially, I began to realize that ‘just making it work’ was the most expensive approach, which led to the highest level of technical debt.
By contrast, focusing on transparent planning, holistic solutions, and the inclusion of senior leadership was better in the long-term in that it ultimately reduced cost. Focusing on the communication of risks, requirements, and restrictions helped create a solution that could continue to improve.
Today, when joining an organization or team to support any cybersecurity improvement initiatives, I first look at their existing communication structure. The way this is handled sets the tone for the entire program. It can even be the deciding factor on whether a program succeeds or fails. In many situations, there tends to be a gap between the operations team and the Board, which could include a lack of understanding by senior leadership of the organization’s cybersecurity needs.
Steps to effectively communicate an organization’s cybersecurity needs to the Board:
1. Speak the Same Language
A discussion of privacy and security controls doesn’t resonate with everyone. This can be because there is a lack of understanding on what exactly these controls can do. To address this gap, security professionals should consider speaking a language others can understand – the language of business, the language of risk.
Most people understand risk. We’re taught it from a young age. “Do action/situation x and consequence y happens.” This eventually leads us to a connection that the likelihood of consequence y increases as we take actions or are in situations that are the same as or similar to x. As we grow in our professional lives, we understand the risks in relation to business.
By aligning my cybersecurity discussions with their language, it’s possible to remove the confusion and create a baseline the others can relate to.
2. Understand the Business
Whilst creating a consistent language is important, so too is understanding the priorities and expectations of others with whom you’re speaking. When communicating the cybersecurity requirements of the organization, you must first understand the existing needs and tailor your responses to show that you not only acknowledge those needs but that you can also enhance existing solutions for them. What are the core competencies, in other words? Where is the Board starting from?
For example, if a person you are speaking with has a background in finance, do you have industry examples which they can recall and relate to? Incorporating someone’s existing knowledge base into your messaging can help build understanding.
3. Have the authority, relationship, respect, and mutual understanding
When presenting to the Board you must have a level of mutual respect and understanding with them – if they do not trust you, they simply will not listen. If you don’t respect or trust them, it will be almost impossible to effectively relate and present findings in a meaningful way. Whilst there may be a small amount of implied respect from someone in a position where they are asked to educate on risks and responsibilities of the Board and the organization, there is still a need to enhance that relationship with trust and understanding.
A good example of this is educating the board about foundational controls. Don’t simply focus on the zero-days, nation-state or sophisticated attacks. You’re more likely to be attacked from not implementing “basic” security best practices, such as a lack of a cybersecurity culture. When something avoidable goes wrong, that trust is damaged. Build respect and trust, maintain it, and then you can focus on innovative solutions.
As the educator, you should be practicing the actions you present, as in following the cybersecurity program recommendations. You should also be with coordinating with the organization’s leadership to request the necessary meetings, provide the training that’s required and build what you believe is needed.
4. Use statistics, facts, historic information, and industry benchmarks
Unfortunately, you probably won’t get everyone to understand where you’re coming from as a cybersecurity professional, but a good place to start is a discussion with relevant context. What I’m talking about here is providing industry benchmarks and knowing what others are spending, which frameworks they are compliant with, and/or in what areas they’re struggling.
Share this information in a variety of ways, such as by using statistics of industry research and internal metrics. Other times, I have joined information days for the Board as a respected third-party, discussing my experience, using case studies, and bringing the risk closer to home.
5. Be realistic – remove Fear, Uncertainty, and Doubt
There is absolutely nothing worse than creating a terrifying and hopeless landscape and then expecting the audience to take action. That’s not how humans work.
Instead, remove the fear, uncertainty, and doubt (FUD). Present realistic solutions that align with the needs of the Board and organization. Share positive findings, for example “70% of our employees recognized a phishing campaign” instead of “30% of employees continue to fail”. Positivity empowers, whereas negativity causes inaction.
6. Bring the risk closer to home, spread knowledge and encourage education
As mentioned above, when presenting to the Board, I often focus on “bringing the risk closer to home.” This can be achieved by talking about their own personal threat maps, protecting their loved ones, and discussing how they can use social media safely.
By focusing on them, you can often bypass any negative perception that can come with cybersecurity whilst igniting the intrinsic motivations and provide longer-term engagement
7. Provide external resources
The use of external resources, such as security frameworks, regulatory bodies information sites, and industry benchmarking research brings weight to your words. A brilliant example when discussing cybersecurity roles and responsibilities is the NIST Cybersecurity Framework. The NIST Cybersecurity Framework provides a policy framework of cybersecurity guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber-attacks. It’s an enormous framework, but they have some great resources to help get started.
8. Build a baseline, understand inherent risk, align your foundations
When discussing the cybersecurity needs of your organization to the Board, they will likely need to be shared the reason for investment, along with the ability to see results as it grows. Start any program off by baselining your existing infrastructure and establishing what the threat landscape looks like. This can be achieved by running a cybersecurity maturity assessment. Within this assessment is the inherent risk assessment, i.e. the default risks an organization has without any controls in place, along with a risk assessment.
The inherent risk profile is so critical because it allows you to know the level of cybersecurity maturity that is needed, create a proportionate response to the organization’s cybersecurity needs and use the overall maturity to build a budget-conscious response. When sharing with the Board, having these findings documented and solutions aligned will again create a more powerful argument.
Final Thoughts
Effective communication is paramount. Cybersecurity is simply a part of a much larger program, incorporating resilience and risk. Within Seven causes of project failure article by Discenza, R. & Forman, J. B., they classify three categories of common causes of project failure: people, project process, and project communications factors. Each of the areas Discenza and Forman mention in their article can be applied directly to cybersecurity programs. By recognizing these causes and addressing them proactively, you can communicate the organizational requirements much more effectively – with a strong base argument that uses influential facts, findings, and metrics.