As a business executive or board member, how do you feel when you are talking to your organization’s CISO? Do you feel like you are on the same page, speaking the same language? Or do you feel overwhelmed by jargon and techno-babble that requires an interpreter?
If your answer is the latter, it’s not your fault. You shouldn’t have to know all of the jargon or speak in the language of a technologist. Rather, your CISO should be speaking the language of business in a way that is easy to understand, relatable to your needs and focused on the bottom line.
That’s the advice of Diane E. McCracken, and she should know. McCracken is a widely known and well respected chief security officer at a midsized bank located in the northeastern United States and, as she says, a technologist at heart. But although tech talk is her native language, speaking it in the boardroom is a definite no-no.
“In today’s environment, cybersecurity professionals need to learn a new language,” she says. “The language of money. That’s when board members and executive management pay attention. They need to know what the investment is really buying and whether it will protect the organization.”
McCracken offers advice to her colleagues and peers as a speaker at various conferences and, recently, as an author in the upcoming book Navigating the Digital Age, Second Edition, published by Palo Alto Networks. She also provides guidance for business leaders on what to expect and demand from their CISOs.
For CISOs the main advice is to learn the language of business. Use numbers, speak in specifics about risk, anticipate questions and use your imagination. In one particular case, she used an allusion to the pop icon Taylor Swift to make a point about cloud computing. But, If Taylor Swift doesn’t work, there are always two areas that will resonate: One is risk and its consequences; the other is business enablement.
Advice for Executive Management and Board Members
Just because the onus is on the CISO to speak in your language, that doesn’t let you off the hook as a business leader, says McCracken. You too have to be vigilant. You have to establish a regular cadence that includes the topic of cybersecurity in board meetings. You have to insist that the security teams present information in language and formats that are clear, simple to understand, relatable and focused specifically on the value to the business. Most of all, you have to support your cybersecurity leaders.
“They are fighting a nameless, faceless adversary on your behalf,” McCracken says. “They have to be right thousands of times a day; the bad guys have to be right just once. In order to be successful in the cyber world, both parties much be in sync, and only through these conversations will that be possible.”
The Language of Business Enablement
One of the more important challenges for CISOs is embracing the concept of cybersecurity as a business enabler—and then articulating that value so it captures the attention of business decision-makers. McCracken offers one example where the solution was to show the board the money.
In her organization, the tech teams had a desire to bring software development in-house as a means to improve quality assurance and accelerate speed to market. From McCracken’s perspective, the key was to ensure that security was factored in at every stage of the development cycle. To convince the board, she created a flow chart that showed the cost of remediation early, midway and at the end of the development cycle. The numbers told the story for her and the board fully funded the program.
“In a case such as this, it is clear that the role of the CISO is as a business enabler,” she says. “It’s not our job to say ‘No.’ Our job is to advise on the risk and put the controls in place to appropriately limit that risk. When the business needs board sign-off, I must be able to address the risk in language the board members understand. With business leaders and the board, money is the universal language.”