In June CORE Security released the findings of an independent survey of those in charge of cyber security for companies as well as CEOs. What we found was that there was a serious disconnect between these two job titles and in many cases, the two parties barely communicated at all. It also appears that when they did, they were speaking two different languages. At the time, I opined about what seemed like an apparent lack of interest or concern for the matters of security from the highest executive levels of an organization. Yet, now that some time has passed and I have had the opportunity to discuss the findings with some of my peers in both the security industry and the business community, I’m beginning to think that the disconnect has as much or more to do with confusion and communications breakdown, than it does interest.
The person in charge of security, be it a chief information security officer (CISO) another IT executive, or a technologist, is under a lot of pressure. The threats against his or her network are growing more sophisticated and frequent by the day. Oftentimes a CEO can be under the impression that security is a “tech” issue that is handled by that department in a silo, unaware of how it impacts the business.
When I’ve spoken with other CEOs on the topic of security, they often voice their own frustration that those leading the security practice within a company struggle to communicate concisely what the threats are, how they affect the business, the potential for loss, and whether or not investments made in security are actually paying off.
When CEOs ask for updates from other members of executive leadership, they generally receive a pretty clear report on the state of the business. Take the CFO for example, when asked to report on the financial state of the business, they will produce a P&L or a balance sheet that clearly articulates the most important information in a manner that has meaning and substance to everyone at the table. Ask a CISO and you are likely to receive a report that varies greatly from organization to organization and in many cases, doesn’t tie the issue of security to the business very effectively.
So while I realize that security priorities can vary and that a standardized report may not be practical, I would like to offer some advice to those charged with leading the security effort that will help better connect you with the CEO and ensure that security is receiving the attention it deserves from the corner office and/or the board. Here are five tips for an effective conversation between a CISO and a CEO:
- Keep it short. I’ll call it my five priorities – a five-minute CEO conversation. What I mean by this is if you can’t articulate the key points the CEO needs to know about security into five bullets or less and explain them in simple-to-understand terms, you may want to restructure your conversation in order to make sure the message isn’t getting lost in the technical details.
- Don’t get too technical. Don’t feel the need to include every statistic into your report on how many times your network has been probed, threatened, attacked and so forth. This only serves to create noise that is distracting.
- Keep the conversation about the business threat –not the technology. For example, if you are looking to make the case for a security upgrade or additional investment, avoid the discussion of threats, malware and botnets, etc. Focus instead on the probability of business loss and what the organization stands to lose if its intellectual property or other critical assets are compromised. These are the types of issues that the CEO, and by extension the board of directors, care about. They are charged with protecting the business and the financial value of the organization. If you can tie the security discussion to the business, you are going to more effectively convey the importance of what you need.
- Make it a two-way street. The issue of security is an important one. If you need the CEO to pay closer attention and be more responsive to your requests, it’s also incumbent on you to do a better job of conveying the need and the link to the welfare of the business.
- Be consistent. Whether it’s a weekly or monthly meeting, schedule time with the CEO to give that full update. Security won’t be viewed as a priority unless it is in front of him or her regularly so the CEO can grasp the landscape, appreciate any improvements, understand the issues and provide the resources or counsel when needed.
Mark Hatton, President, CEO