Cybersec professionals must be experts - and expert storytellers.
By Nyuk Loong Kiw, Spark Cyber Defence Domain Chapter Lead
Every discipline has its own language and those fluent in it can sometimes forget it doesn’t make sense to everyone else. Cybersecurity professionals are often guilty of this and it does them no favours – especially around the boardroom table.
At a time when cybercrime is more prevalent and noxious than ever before, and when regulators globally are demanding organisations take more accountability for cybersecurity, ensuring those who govern the organisation understand the threats, and how they are mitigated, is critical. That’s because robust cybersecurity is as necessary as robust health and safety; senior leadership are ultimately responsible and liable for both.
Yet unlike most health and safety risks, where communicating issues is relatively straightforward (e.g. at a building site there are many unseen hazards, so everyone entering it must wear a hard hat and a safety vest), cybersecurity is complex, technical, and ever-changing. Little wonder that, in discussions with the board, cybersecurity professionals often commit three crucial errors:
1. They fail to align their cybersecurity roadmap to the business roadmap. For example, at Spark, when creating our cybersecurity strategy, we look first at what the business priorities are. (You can learn more about this approach in the article Combatting cybercrime with a robust cybersecurity strategy.)
2. They not only speak in jargon that board members don’t understand, but they provide monthly metrics that are meaningless to them and are often backwards-looking.
3. They don’t provide the context for the information they present – for example, why a certain metric makes the organisation weaker or stronger.
Because of these errors, organisations often do one of two things. They aim for the minimum requirement, what will be required to pass audit and compliance needs, gain IS27000 standards for information management security and consider it ‘job done’.
Or they throw a whole bunch of money at cybersecurity, adopting the latest technology to try and boost their security posture but fail to make a real difference. Investments like this can put strain on budgets and leave little resource for other effective security measures.
Spark recently asked New Zealand businesses about their investment in cybersecurity. More than half (56 per cent) of New Zealand organisations indicated cybersecurity as a priority for investment in the next 12 months. To ensure they get value for money, they must first work out what the risks are, and how they can be mitigated in a way that reflects the level of risk and makes the most of the organisation’s limited resources.
It sounds simple and, in many ways, it is – but only when cybersecurity professionals realise that, to succeed, they can no longer just talk amongst themselves. They must find a way to bring the board into the conversation.
As a starting point, here are my ‘top 10’ questions we ask at Spark, and for which we seek plain language answers. Answers which have data to back them up, provide context in terms of how they relate to overall business goals and strategy, and which produce meaningful, measurable metrics so our board easily grasps the situation presented to them each month.
1. How secure are we?
2. How do we rank versus other peers/competitors/partners in our business vertical?
3. What are our strongest (or weakest) security issues?
4. What are our most significant threats or risks, and what are we doing about them?
5. Are we spending the right amount on security?
6. Are our security capabilities deployed optimally?
7. Are we meeting the standard of reasonable care?
8. Are we resilient?
9. How will we cope with some of the most commonly seen threats?
10. Are we able to meet our compliance and regulatory obligations?
Some of these questions are straightforward; others will take a lot more time to determine and are more likely to change over time. For example, the question ‘are we spending the right amount on security?’ This is very similar to working out if the organisation is spending the right amount on insurance cover.
When do you tip over from sensible protection into overspending? It’s a judgement call, but one that can only be made after careful consideration of the data and other relevant information.
The good news is help is at hand, as determining cybersecurity metrics that the board and the rest of the organisation can understand and support is becoming increasingly important. When you partner with a trusted Managed Security Service Provider, such as our team at Spark, we can assist with developing meaningful metrics for your board.
There is also a growing body of information and advice in this area from global analyst firms. Gartner has developed a new approach it calls Outcome Driven Metrics (ODMs), designed to measure the outcomes of security investments: Gartner says: “These metrics serve as value levers to manage business-led cybersecurity investments. The goal is to achieve a desired level of cybersecurity readiness that aligns with the organisation’s willingness to pay for it.”
“CIOs seeking to manage cybersecurity investment must use outcome-driven metrics. Gartner has defined 16 protection-level outcomes that create a foundation for effective collaboration with boards of directors, CISOs and CFOs.”
Tools such as this are helpful in gathering the data required to ensure you are on the right path – but they are not enough on their own. Your suite of metrics is there to illustrate the journey your organisation is on; it is not the story itself.
You as the storyteller have to find, develop, finesse, and communicate a compelling narrative that captures your board’s attention and provides them with the confidence to invest in the areas of cybersecurity you identify as most important – ideally before the cybercriminals next strike.
The full Gartner, Inc. report ‘The Gartner Cybersecurity Business Value Benchmark, First Generation’1 has been made available for a limited time to Spark Insight Engine readers here.
Read more on Insight Engine
Find more fresh insights on the technology-related business priorities shared by Aotearoa’s business leaders on Insight Engine.
Combatting cybercrime with a robust cybersecurity strategy – Cyber risk: reputational damage and revenue loss
The importance of being cyber resilient - Ensuring attacks don’t disrupt business operations and productivity
Nyuk Loong Kiw is a proven information security professional with over 22 years’ experience in cybersecurity. His areas of expertise are network security, incident response, security design/architecture along with 10+ years team and technical leadership experience.