*This blog highlights key points taken from the CRMG podcast ‘Changing Senior Management’s Perception of Cyber Security for the Better.’ Listen to the full podcast here.
One of the biggest challenges facing cyber security staff is dealing with the misconceptions held by senior managers within an organisation.
Many business managers have an unclear understanding of the full role of information security in the organisation, and of the possible consequences if information security is not addressed as a key governance area in its own right.
Nick Frost, Director of CRMG, posed the question “How do you get senior managers to have a clear picture of information security?” to two information security consultants and experts, Todd Wade and Andrew Wilson, with a combined experience of 40 years in cyber security.
This article summarises the discussion and offers a guide to changing executive perception of information security.
In days gone by, information security was mainly seen as the responsibility of IT departments to implement technical controls. As long as somebody within the organisation was controlling the IT networks, the problem was considered solved.
Although times have changed, many senior managers (especially in brick and mortar companies) haven’t moved on from this perception. As Todd Wade puts it, senior managers still see “information security as a technical function, not a risk function. There’s a lack of understanding that decisions made in the cyber security department can affect the whole company, more so than a contained technical decision could.” For perceptions to change, Todd suggests there needs to be a cultural shift within the business world.
Often there is a large disconnect between the real potential consequences of information security risks and the perception of them. One way to bridge the gap is to communicate the risks clearly to senior managers.
Therefore, CISOs (Chief Information Security Officers) need to take on more of a leadership role. They should influence department heads and executives to take information risk seriously. Andrew Wilson points out that “it’s particularly difficult for CISOs to take senior execs on the journey of understanding why it’s important to manage cyber risk”.
Part of the problem is that CISOs are required to highlight the risks and wide-ranging consequences of events like data breaches, without being preachy or alarmist.
A possible solution to this problem is to frame the consequences in a way that will connect with executives. For example, if a CISO is talking to a CFO, rather than reeling off results of vulnerability scans, they could convey the consequences in financial terms. For example, “if a data breach occurs, the company stands to experience “x” amount of financial loss, loss of brand reputation, etc. In other words, linking the fallout from poor information security to a metric in their field of expertise.
Managers don’t necessarily understand what goes on at ground-level to achieve and maintain cyber security, for example implementing controls, making managerial decisions about investment, strategies, etc.
This problem is compounded by a lack of link-up between the organisational objectives and how poor information security can affect meeting them. Company objectives are listed in business plans, annual reports, etc., and there should be a strong linkage between those statements and the efforts made to manage cyber security and risk.
A CISO needs to show, in a hierarchical way, how their actions on the ground contribute to those objectives. For instance, how implementing controls reduces costs, improves supply chains, etc.
Andrew believes that “the benefits of information security should be outlined in terms of business metrics and data – it’s what keeps execs up at night.”
If you can show how information security directly affects business metrics and KPIs, you can articulate a logical argument for making sure that the groundwork is done properly. Once identified, the risks and their effects on metrics should be built into GRC (Governance, Risk and Compliance) policy.
Communicating the importance of cyber risk throughout an organisation isn’t easy.
Some companies use the approach of nominating a “cyber security champion”. Ideally, this would be someone who understands the basics of information risk, yields some influence, and is on or close to the executive board. This allows them to translate between technical operatives and board members, and appear as a friendly face, communicating the risks clearly.
Another effective approach is for the CISO to appoint a training and awareness officer. The CISO often doesn’t have the time to raise awareness across the company themselves, so they delegate to a nominated person. The main role of the training and awareness officer is to increase awareness of cyber security issues, by creating educational programmes and awareness drives for example.