The first step to solving any type of problem is recognizing that one exists. If you’ve had an opportunity to review the survey that we announced recently regarding CEO and CISO communication, you can see that not only is there a problem, but a wide disconnect with the potential for serious business impact.
It seems as though the executives charged with security are having a tough time communicating with the CEO, and ultimately the board, around issues of security. Further complicating the matter is that the CEO community doesn’t seem all that interested in hearing about it either. So how did we get to the point where C-level executives can’t communicate on an issue that left unchecked, could cause incalculable damage to the company?
Simply put, the two groups are speaking different languages. CEOs and boards care about financial performance and business issues that impact stock prices and market share. Tech people tend to speak in terms of data and bits and bytes and botnets and viruses. This type of conversation does not translate well to an audience that views security as very black and white; does it work or doesn’t?
So how can CISOs go about changing the culture in their organization so that the issue of security is taken more seriously from the executive branch of the company? Here are a few tips to start everyone down the path of better communication and better security.
- Set the Tone: if security is going to be a priority in the organization it’s your responsibility to make it happen. Establish a regular security briefing with the CEO and tell him what he needs to hear, not what you think he wants to hear.
- Add Business Context to Security Discussion: Throwing around numbers such as 75 thousand instances of malware or 50 thousand viruses detected doesn’t mean anything to the CEO. Telling him that the company runs the risk of suffering a $5m loss if steps aren’t taken, is the type of language that resonates.
- Be Predictive: The best CISOs always make the point that they aren’t paying their teams to tell them what happened yesterday, but what will happen tomorrow. CEOs don’t want to hear reports on past events either, tell them what is being done and what needs to be done in order to protect the company against future attack.
- Prioritize: Don’t expect every concern to be addressed by the CEO. Settle on the big issues that require his attention. A good rule of thumb is highlighting the three security issues with potential to impact the business.
Better security is everyone’s responsibility, but ultimately that tone needs to be set at the highest level of the organization. Establishing a regular briefing with the CEO and putting security issues into business terms will be a good start to bridging the communication gap that currently exists. At the end of the day, everyone involved wants the same result; speaking the same language is the best way to ensure everyone is on the same page.
– Mike Yaffe, Senior Director Product Marketing