Nobody wants their enterprise to be the victim of the next big data breach. For chief information security officers (CISOs) and others who eat, breathe and sleep technology, the solutions seem obvious; there are, after all, not many times, waking or sleeping, that we’re not thinking cybersecurity best practices.
But there’s a hidden danger to being too technical. When we walk into a boardroom and brief our business’s top brass on topics like risk, it’s easy to think we’ve painted a clear picture of what needs to happen, when in reality we’ve gotten barely anything across. That's because while the almost esoteric cyber-talk that we have within the industry works well when we’re sitting around a whiteboard talking to security professionals, such conversations don’t always resonate with people who don't, for instance, know what polymorphic malware is.
But the board of directors are the key behind-the-scenes players in an effective cybersecurity strategy. Their buy-in and, yes, their willingness to utilize funds and resources to support initiatives, are what keep client data safe and businesses out of the data breach headlines. And so, the following strategies for helping the board “get’ cybersecurity without getting too technical are great steps to take to open up this ever-so-important, ongoing discussion.
- The Demonstrable Value of Fixing Problems Early
- Impact-Oriented Explanations
- Talking Threat Prioritization with the Board
In the software development and DevOps world, there’s a growing appreciation for the fact that identifying and fixing a problem early in a piece of software’s development lifecycle saves a lot of trouble (and money) in the long run. That’s because the farther down the development road map you get with a bug in place, the more things get stacked on top of it. And once the software is implemented, developers have another whole pile of logistical problems to deal with; like developing a patch that works and making sure it gets rolled out correctly to every enterprise using the software. It’s easy to see why it pays to fix things early.
The same principle is true for catching, managing and mitigating a data breach. The damage a data breach causes spirals out. The longer a business goes without taking action, the worse it gets. From the in-house technical costs to loss of client trust to negative PR – the quicker a company handles a breach, the less compounding damage there is to deal with.
The same principle is true for catching, managing and mitigating a data breach. The damage a data breach causes spirals out. The longer a business goes without taking action, the worse it gets. From the in-house technical costs to loss of client trust to negative PR – the quicker a company handles a breach, the less compounding damage there is to deal with.
Adopting the software developer’s “fix it early” model doesn’t require that board members go particularly deep on the tech end. Once the board understands that it’s better to nip a data breach disaster in the bud, they’ll see the value of practice.
Structured walkthroughs of hypothetical data breach scenarios – detailing everything from how the business informs the media to how it addresses customers – can be hugely valuable in preparing everyone from the C-suite to the IT front line in the case of a real, live data breach. Training the board on what steps they need to take can stave off PR devastation and huge financial losses.
Discussions about impacts take you out of the technical sphere and into a world the board understands. Explaining the tangible costs – fines and loss of data – as well as the intangibles – bad press, customer attrition and brand damage – can help drive home exactly what’s at stake when it comes to cybersecurity.
Boards need to recognize that a data breach can pose a significant existential risk to a business’s longevity. But it’s not just the company brand that suffers. A board might not think of the fact that, when a company falls victim to a breach, everybody knows the name of the CEO on down the line.
It may be unfortunate and unfair that individuals on the board who had nothing to do with a data breach will end up with a black mark on their record, but it happens. And so, communicating this simple fact can resonate and get across the point that cybersecurity is something to take seriously – for everyone’s sake.
It’s easy to skew technical when talking about things like network architecture. But when it comes to the importance of threat prioritization there’s an easy non-tech truth to get across to the board. That is that a vulnerability in a system that’s inaccessible from the outside is less of a concern than one that’s public facing – the same way a broken window on the ground floor of a building is a much bigger problem than one four floors up that can’t be accessed from the outside.
Opening up the discussion in this way and walking the board through the importance of threat prioritization will allow them to trust you when you’re asking for resources to be directed to a specific area. That way you can work together to react to the threats that really matter to your business, rather than the ones that are getting the most press.
How you communicate with the board is just as, if not more important, than what you have to say. In order to get buy-in for your recommendations, you need to speak their language and focus on what’s important to them. Following these three steps can help you position yourself as a trusted advisor who can protect the business from cyberthreats, getting your current project – and future ones – the support you need.
Ready for the next step in your cybersecurity career? Check out the CompTIA Cybersecurity Career Pathway.