Infosecurity recently spoke with Jonathan Goldberger, VP global security at Unisys, to discuss communicating cybersecurity to C-level execs, the evolving role of the CISO and whether boards need to be more ‘cyber-savvy.’
What is your advice for effectively communicating cybersecurity to C-level executives?
CISOs cannot continue to talk about security without putting it into a language that C-level executives understand. Much like the accounting, sales and marketing teams have to communicate their spend and return on investment, the same must be expected of security leaders. For example, asking for more budget to protect the organization from a £1m per day system outage holds more weight with an executive than trying to explain the way a technology works in combatting threats. Only when the liability of the business is explained in value terms will C-level execs place greater importance on IT operations.
Are IT security leaders still failing to effectively communicate cybersecurity to C-level execs, or has there been recent improvement?
Unfortunately, there is still a major disconnect between security teams and C-level execs. Until IT security leaders can speak the same language as C-level execs, we’ll continue to see large scale breaches. Consider Equifax – over 500 million records were lost which equated to a reputational risk of £300m. I would imagine executives would support security differently if they knew the realities of loss based on defensible data. Unfortunately, most security leaders are only able to speak in infosecurity threat terms like, Struts, ransomware, SQL injection, etc. These terms do not resonate in the boardroom.
What is the risk of failing to effectively communicate cybersecurity to C-level execs for IT security leaders?
Ultimately, the risk of not communicating the importance of cybersecurity is the potential for a catastrophic cyber-event, which could not only cripple the company financially, but have a lasting damage on the brand reputation. In addition, by not understanding the magnitude of cybersecurity, C-level execs are in danger of failing from a leadership perspective as they are not representing the shareholders adequately by exposing the business to risk. This includes a lack of response, which could lead to executive job loss or even prison.
For a CISO, their inability to communicate risk in business terms is one of the key reasons the average tenure is 24 months.
Speaking at TEISS 2019 recently, Ciaran Martin, CEO of NCSC, said that boards need to get more ‘tech-savvy’ regarding their understanding of cybersecurity. Do you agree?
Instead of ‘tech-savvy,’ I think they should be more risk-savvy. In today’s threat landscape, companies aren’t targeted because of who they are, but instead they are targeted due to how vulnerable they are. Much like how a pickpocket may be on the lookout for a tourist keeping valuables out in the open, the same can be applied to cyber-criminals scanning businesses for cybersecurity cracks. Whether it’s a nation state looking to get the upper hand, a cyber-criminal who wants to make money from selling sensitive data or a trusted employee practicing poor hygiene – real money is lost and earned. As such, finding anomalies within the network and validating user and machine identities is paramount to staying resilient.
Do you think the CISO should have a seat on the board, or at least report directly into it?
While the role of the CISO has evolved, their job is not to sit on the board, and while many CISOs have taken the step to report directly into the board, they are still failing to communicate correctly. Years ago, the CISO simply had to understand security to buy new technologies, fast-forward to today and we are now in an age of risk management where the next step is communicating risk in business metrics. Only when this bridge is gapped can CISOs validate their current IT security program, defend future spend on technology tools and become a component of the business that allows the organization to capitalize on its business effectively.
These topics will be explored further in the ‘Three Things Every Boardroom Wants to Know’ session at RSA Conference 2019 in San Francisco this week.’