As cyber threats become more frequent, more sophisticated, and more impactful on business operations, organizations need to adopt a practical approach if they are to make sense out of what promises to be an uncertain and confusing future.
Yes, many business executives and board members will convene meetings with their chief information security officers and other senior IT executives to consider financial investments and changes to business processes. And many of those discussions will be riddled with technical buzzwords and talk of things like intrusion detection systems, UEBA, multi-factor authentication, next-generation firewalls, network segmentation, and machine learning, just to name a few. Your top IT and security experts will undoubtedly impress you with their depth of technical knowledge and give you an array of solutions to “defend the perimeter” and establish “multi-layer security frameworks.”
And when those buzzwords start flying and the acronyms dominate discussions, your reaction and response should be simple:
I don’t mean you should ignore or belittle the technical expertise of your CISO or CIO, or disregard their requests for smart and even potentially large increases in security budgets. “So what?” is just the lead-in for a series of questions that need to be properly addressed.
- How is this threat impacting or could impact our business?
- How are our customers and partners going to be affected?
- What are the financial, operational, regulatory, legal, and brand implications of the threats?
- What is our risk exposure? What is our residual risk?
- How will we know if we are succeeding in defending our most valuable assets?
- How can we look around the corner at what’s next?
And the hardest question of all: How are we measuring success? In other words: So what?
Several years ago, the financial services industry was attacked—not by masked thieves breaking into our vaults under the cover of darkness or by smash-and-grab robberies of our branch offices. It was a cyberattack—a Distributed Denial-of-Service (DDoS) attack, to be precise, targeting the US financial services sector. And it was a real mess.
Seemingly, no financial services organization was immune—and that includes where I worked at that time. In fact, we were hit twice. Believe me, the fact that we had plenty of company did not it any easier for us.
I sat down with my SecOps team, and posed an open-ended directive to them: “Give me a short presentation for the board, no more than three slides.” I wasn’t surprised when the team came back with a technical presentation on botnets, how they occur, what they do, and all the technical considerations. What the brief didn’t include was an answer to the fundamental question: So what?
I challenged some of the leaders within my group to go out and talk to business teams, to understand the financial, operational, and reputational impact of being offline, let’s say, for eight hours. In fact, I suggested that the Business Continuation team would be a great place to start, since their annual Business Impact Analysis would be an authoritative source of valuable data.
They learned their lessons well. They came back with a tight, business-oriented presentation that was short on technical minutiae and long on business impact.
There were very definite answers pertaining to lost business, inability to service customers, impact to money movement transactions, etc.
Using our “so what” yardstick, how can business leaders and CISOs build and nurture a culture of cybersecurity?
- Demonstrate that it is a top-down strategic initiative. Sending out memos and approving policies on good cyber hygiene are fine, but they lack “so what” impact. Your organization needs to see its leaders “walking the walk” by doing things like engaging security team members on new-product development teams from the start, rather than simply having them eyeball your new IoT initiative as it’s about to be released to the market.
- Real leadership goes beyond writing checks. Again, having business leaders and board members approve important cybersecurity investments is important. But it fails to deliver the “so what” impact of steps like having your CISO report to a senior executive outside the typical CIO chain or having regular interactions with the board.
- Making the right personnel decisions means everything. It may sound counter-intuitive, but I believe we are all often better served by having fewer, rather than more, FTEs devoted to cybersecurity—as long as they are the cream of the crop. Business leaders have every right to ask “so what” of the CISO who puts in a request to expand his or her team. So, what will this expansion do to decrease risk, improve business operations, or enhance products and services?
- The executive team and board members need to commit to continuous security education. Regularly scheduled presentations to the board and continuous conversations with business executives are good but, self-initiative on the part of the board and C-suite executives is better. Don’t just sit back and ask your CISO for a briefing; take the lead and get educated on your own. Visit with the security team on-site and ask questions. Spend some time reviewing threat intelligence reports with your CISO. Attend conferences and listen to podcasts.
- Adopt a “secure-by-design” approach. This should be applied to everything from new-product development to how you use technology for everyday operations. Policies like changing passwords quarterly are annoying to your employees, in large part, because they don’t hear their “so what” pleas answered. The same is true with your system engineers and application developers.
As is true in nearly every type of relationship, your ability to get everyone on the “so what” bandwagon is influenced heavily by how you send your messages. Different people on the receiving end of a “so what” missive can interpret that in different ways, and the results can range from instant learning and embracing the spirit of “so what” to hostility, confusion, and fear.
For C-suite executives and board members, what you don’t want or need is a growing cascade of reports, dashboards, and metrics. CISOs already have a vast amount of information that they are sending to business stakeholders about vulnerabilities and risk; just dumping more data on the desks of decision makers isn’t going to work. Board members and executives have to walk that fine line between getting “so what” answers and wallowing in tactical details. And, time is always a limited commodity.
One way to help is for business executives and boards to train the technical presenter—the CISO, CIO, or anyone providing security information to the business side—not to pull the crowd into tactical, technical discussions. Board members, in particular, have a limited amount of time, and they need to have confidence and trust in the people accountable for ensuring the organization and its assets are secure. Coach your CISO and their team on how to deliver strategic answers to the “so what” question.
For business leaders asking “So what?” may not be an easy process. Your technical leaders have a tendency to want to give you the whole story, to tell you everything. You have to help them pare that down.
Gary McAlum is Chief Security Officer and Senior Vice-President for Enterprise Security, United States Automobile Association. This article is adapted from Navigating the Digital Age, Second Edition.