IT security staff face a ‘first-impression' challenge when interacting with company board members and the C-suite: The first conversation between the two will likely be about establishing a 12-digit 'secure' password.
“This is the first interaction you’re likely to have with that individual,” said Bobbie Stempfley, director of cyber strategy implementation at MITRE Corp., speaking at the Infosecurity Magazine Conference in Boston. She noted that this feeds into a certain “IT security is annoying and hard” stigma that IT decision-makers need to get past — especially when they seek investment sign-off from senior management on cybersecurity.
In a discussion on articulating risk to senior management and enabling decision-making, Stempfley noted that preparing for effective executive engagement starts with understanding how one’s role is perceived. Are you the head of IT, a CISO, an insurance officer or something else? Are you always bringing bad news? Do executives expect you to know about every device connected to the network, and every aspect of risk?
Secondly, it’s important to use this self-understanding, and to define a context in terms of executive preconceptions about their responsibility when it comes to cybersecurity risk.
Stempfley explained that there are a handful of common narratives that tend to permeate executive conversations. One is the idea that cybersecurity is a law enforcement problem, i.e., “if something goes wrong, call the FBI.” Another is the characterization of cybersecurity as being far too complicated for business leaders to understand. And yet another is disbelief: “You’re trying to sell me something, so you’re trying to scare me. This is fear-mongering and there’s nothing actually wrong.”
There are others, too, including the well-worn “too much to do, overwhelmed, under-resourced” narrative, the idea that cybersecurity only matters from a compliance standpoint, and a feeling that managing cybersecurity risk is too bureaucratic and government-dictated to primarily fall on the shoulders of the business.
“The utility in knowing what these narratives are is that you can control that narrative in your risk presentation,” Stempfley explained.
Once you know which narrative you’re dealing with, a good place to start is working with stakeholders to make a determination about which data is the most valuable and why. For instance, personally identifiable information and HIPAA-protected information is usually ranked high, while limited internal data loss might be ranked as a lower priority.
Then, conversation becomes about the business implications of that data’s compromise, and from there, how to build the network to protect the data at an appropriate level, and then assessing what the risk posture looks like.
It seems straightforward, but the interrelationship between risk and cyber-threats, how data is valued, investment in the network and business objectives is complex and tangled. So, it’s also important for IT pros to understand how to clearly map business imperatives to cybersecurity risk using terms and examples that are intelligible to non-tech personnel.
“It’s something that we tend to not know innately—we have to learn this,” she said. “One of the biggest challenges is the challenge of language. IT security pros map the mission to the network to the data. Understanding what each risk point is and how it relates to everything else is the concept to work with, but how do you communicate that in business terms?”
Quoting Winston Churchill (“Out of intense complexities, intense simplicities emerge”), she explained that the goal isn’t about hiding the complexity, but rather, interpreting it—and determining what metrics and models are important to one’s specific company.
For instance, reporting and dashboards can be used to manage that level of complexity and roll it up to a level that speaks to business owners.
“You want clear, understandable abstractions of the complexity,” she explained. “What threats were blocked at perimeter or at the exchange server? Which made it to the client device or internal network? Were these carried out by APTs, unknown actors, non-APT? And what was compromised: Client, server or data?”
Also, the conversation will change depending on which stakeholder one is speaking to. The CEO is interested in different information than the marketing chief. Effectively engaging the C-suite and communicating security risk requires a savvy understanding of one’s company culture, business and different divisions and siloes.
“Ultimately, IT security decision-makers are faced with a meta-leadership problem, wherein she or he must communicate the situation and context to a variety of siloes and culture, leading both up, across, and down, all at the same time,” Stempfley said. “It’s not easy, but it’s necessary.”