In the wake of increasingly serious and high-profile data breaches, cyber-threats have become a board-level concern. Finally, the recognition and visibility that so many security departments have craved for so long is here.
Yet with this new responsibility comes new challenges. For security professionals, this means adapting their skill sets to communicate effectively with a newer and more senior set of stakeholders, a group that often needs to be educated effectively about the increasingly complex world of cybersecurity.
To help with this new dilemma, here are five non-security tips to help security professionals position themselves better for the boardroom battles of the future.
Present data in a different way
The security industry has a tendency to present data in a rather statistical manner. However, merely sharing how many suspicious emails your spam filter has caught isn’t likely to get the board interested in cybersecurity. On the other hand, learning to present your data in a more meaningful way, that is better aligned to the needs of your target audience, may deliver better results.
For instance, if people are told that a product they are using is high-end, this can change their expectations of that product. For example, at a food-industry expo in the Netherlands, two Dutch pranksters served McDonald’s food cut into pieces and skewered with toothpicks, and then told attendees that they were eating an organic product. Participants described the taste of the samples as being very rich, and very pure.
With this in mind, try presenting your data in a different way and see if this helps change how your audience perceives it.
Reframe
Security on its own has little meaning. Many business leaders will judge the effectiveness of their security teams through the lens of their own perceptions and feelings, and these may often include negative connotations about various security strategies.
To overcome this, CISOs and security experts should try to reframe their proposals to highlight the benefits in a different context. For example, Rudolph’s red nose made him stick out from the other reindeers. However, when placed within the context of a dark and stormy night, the luminosity of his nose proved invaluable and helped to guide Santa’s sleigh through the inclement winter weather.
So, before you present your latest security strategy, ask yourself how you can reframe it to add value to the board
Incentivize
An important reason why c-level execs are not motivated by security initiatives is because they are not incentivized to do so. Perhaps they are more focused on profits and losses, or are simply too time-poor to gain an in-depth understanding of the issues?
For security professionals, concentrating on what your audience wants and needs can help motivate boards to take action. For example, rather than talking in technical terms, CISOs could try discussing cybersecurity risks in terms of their impact on the bottom line, such as the potential damage to a brand or loss of intellectual property that could be the aftermath of a breach.
Giving things a more positive slant may also work well. For example, showing the c-suite how cyber security can be used as a vehicle for gaining competitive advantage may incentivize them to support new security initiatives.
Look for solutions in different places
Sometimes, the solution to a problem is actually lurking in a place we would not normally think of looking.
British inventor Trevor Graham Baylis CBE invented the wind-up radio. What was the driver behind this? It was not, as one might expect, motivated by clean energy, or the advancement of radio broadcasting, but by a desire to combat the spread of AIDS in Africa. Given that much of the population in the areas most affected lived in remote villages, without access to electricity or television, the wind-up radio was developed and distributed to allow AIDS awareness information to be delivered without the need for electricity or batteries.
CISOs looking for their newest security strategy also need to diversify their sources of knowledge and approaches. There is much to be learned about security from outside the industry. Attending non-security conferences and talks in different types of business sectors could help with this.
Make security Instagram-able
Finally, to be successful, security needs to be accessible to the masses. Employees are often aware of security issues that are prevalent in the media, but aren't often aware of internal procedures and potential risks.
Poor security awareness is often just due to information overload, given the sheer volume of other messages and instructions that employees receive during their working lives. To cut through this deluge, CISOs should think carefully about how they market their security guidance.
A Brooklyn ice cream brand recently increased its sales by 50% after it redesigned its packaging. It succeeded in doing so by making its product ‘Instagram-able’ – more customers wanted to buy the product in its new, attractive packaging simply to take photos of it and share it on social media.
Are there ways to re-package your security strategies to make them more appealing to your business? Because of the need to interact with the board, security teams now have a much higher level of visibility and exposure. While this situation can be significant advantage when it comes to securing the data and resources of an enterprise, and accessing additional funds, simply getting an audience with the board is not the same thing as winning their trust.
Management tiers may have been scared into action by external incidents, or impending legislation, but to really effect change in the hearts and minds of their organizations, security teams will need to expand their skills and evolve into far more than security experts.