How do you educate the boardroom on the information security dangers the business is facing on a daily basis? That's a difficult question, and one that's done the rounds in the industry for many years.
Fortunately, it appears as though the tide is turning. Security awareness training is now high on the agenda, and security-conscious companies are trying to establish a deeper connection between the CEO and CISO (or IT manager).
The communication problem is perhaps getting easier, and justifiably so. A report from Trustwave reveals that six in 10 FTSE companies now name cyber security in their annual reports, while high-profile data breaches – and incoming EU legislation – make senior execs aware of the financial impact. However, for many companies, getting time alone with the CEO is one thing, but communicating with them in a way they understand is another thing altogether.
This issue came up at the recent SC Congress London, where Thomson Reuters' Daniel Schatz urged IT managers to establish concise communication, but to also stick to their ground on the issues that need resolving.
“Don't get totally stuck by what the executive team is saying in terms of threats,” he said.
Professor Edward Obeng, the founding director of Pentacle, believed to be the world's first virtual business school, says that simplicity is the key to driving boardroom change. “The key to driving change fast, and to keep brains [switched] ‘on' is to not surprise them with anything new. Change it into a story,” said Obeng, who was speaking at Gartner's IAM summit in Westminster this year. Obeng said that the second stage should be to remove fears and “keep them coming with you”, by narrating an easily digestible tale where you relate how the fears could affect them.
“The third thing is to engage people, get people excited…you need to engage thinking.” He urged CISOs to use “analogies that fit with your situation” to advise the board on imminent threats, but warned: “They're never going to understand technology, big data, the network – they won't get it – it's not their job. The reality with change is that you have to engage the human. We're all designed the same way – don't scare them, go on a journey, engage people.”
MWR Infosecurity director Alex Figden agreed that Obeng has ‘some interesting ideas' and while he agrees that simplicity in the message is important, the message should be in a language most interesting to the CEO – money.
“It's very simple. In the last year the impact of cyber attacks, studies have shown, has become a very important issue,” he told SC Magazine UK.
“There is a language barrier but the big issue that comes up time and time again is that you need to communicate in financial figures. In every single case it opens up a discussion, and then released budget for defence.” He added that examples of recent breaches should be given as everybody has an incident and the approximate costs involved.
“The beauty of talking in money is that they don't need to know the details. Focus on the costs and the remediation.”