David Geer | November 02, 2016

Fixing the communications breakdown between IT security and the board and c-suite

In the months before an unexpected crisis, IT security requests specific tools, training, and additional staff to keep enterprise data safe, but does not substantiate the need in terms the business can understand. The c-suite denies the requests, pointing to the investments they have already made in security technologies. Suddenly, hackers strike with a massive cyber attack.

Suffering financial losses and brand damage, the c-suite asks IT security what happened. Security responds that they need specific tools, training, and staff to mitigate these concerns. But again, security does not make a business case in language the c-suite can appreciate. The leadership turns to existing vendors, who sell them their latest security products.

Armed with products that do not address all the specific vulnerabilities the company has, the c-suite returns to other matters. Months later the enterprise falls prey to similar attacks. A cyber security communications break down has kept the enterprise moving through this same cycle for years. The answers to breaking out of that rut lie in fixing those communications.

Finally, IT security experiences an absence of threat intelligence and security operations capabilities that leaves its teams handicapped when fighting the company’s security battles. The spend on expensive security tools such as Next-Gen Firewalls remains high while the investment in relatively inexpensive security staff training is underwhelming.

“New security tools may be expensive,” says Earl Crane, Ph.D., CISSP and Co-Founder of Emergent Network Defense, “but they are useless unless you train the staff. The organization must have the maturity to use the tools.”

Cultural Differences That Garble Communications

Top leadership must interpret operational challenges, business value, and financial impact based on the organization’s business model, market and culture, according to Crane. Meanwhile, IT security teams keep their heads down, fighting on the front line of security, fixing and updating errant configurations and closing holes where phishing attacks can enter, continues Crane.

As a result, many IT security teams have little buy-in from business units to their broader organizational objectives; since leadership has not given explicit guidance on how information technology security should operate, they are left to determine their own path, according to Crane. “The fact that unsophisticated executives will leave the information technology organization alone while assuming that information technology security is taking care of any issues compounds this challenge. This can go on until a significant cyber event occurs,” says Crane.

Communicating from the bottom up, IT security must talk to the c-suite in terms of the effects of security-related decisions and resource allocations on the business; otherwise the message fades into the background. IT security needs to impress upon the c-suite the risks that certain resources will mitigate and the potential bleeding in financial losses that balanced, proper threat mitigation can avoid.

The CISO plays a key role in translating IT security’s message into those terms. The CISO or Chief Risk Officer must convert weaknesses such as slow response times, business unit exposures, and operational delays into pains that executives understand so that they can effectively respond, according to Crane.

According to Crane, CISOs can communicate from the bottom up by explaining the criticality of business unit compliance with policies that forbid clicking on phishing emails or require close supervision of third-party contractors. The CISO must structure communications so that business units see how information technology security’s requirements enable the business units to ensure their own stability and continuity, according to Crane.

“A CISO might translate the business value of an information technology security move like this: ‘Instituting a new email block led to a 50-percent reduction in malware. That helped us to divert 20 cybersecurity staff to our more important fraud prevention initiative,’” says Crane.

Fixing communications from the top down, any decisions about budgeting, outlining, and effecting information technology security training and operational focus and resources need to take root in the results of a cyber risk analysis, specifically in the company’s cyber risk appetite. “Establishing a cyber risk appetite is the most important thing leadership can do to break the communications logjam between directors, officers, management and operations. Managing to that cyber risk appetite is the second,” says Crane.

The cyber risk appetite will enable leadership to capture business-based IT security priorities that the c-suite can render as acceptable IT security risk-taking, explains Crane; the board will find the National Association of Corporate Directors’ free Cyber Risk Oversight Handbook to be useful in this area.

“Management must execute information technology security operations based on the cyber risk appetite, and highlight in business impact terms when a business unit or the organization is taking more risk than the board and executive leadership agreed on,” says Crane. The same goes when the finding is that business units or the enterprise are not taking enough risk in certain areas. For example, the leadership could determine that they only need to patch the most critical systems while simply isolating less critical systems; this could also free up resources to meet other information technology security needs, according to Crane.

With IT security priorities in hand, the board and c-suite need to communicate to IT security that they will follow through with any needed training and the enforcement of open lines of communication with and support for information technology security throughout the organization.

C-suite Buy-in

To get buy-in from the c-suite, IT security needs to explain the security vulnerabilities first, and then talk about how certain solutions will make a difference. That way the organization already has the right solution when attacks occur. “With many organizations, the board manages risk in a reactive manner in response to a security event. An event such as ransomware comes along, then they buy the first solutions that people bring to them to solve the problem,” explains Nick Santora, chief executive officer, Curricula. That’s not the way to go.

IT security can help by providing the board with briefings and education in current events, economic impacts, industry news, and other relevant decision making data between significant security events so that security teams gain credibility, which can reinforce their message when it’s time for leadership to make security-related decisions, says Santora.

To make communications matter to top management, information technology security needs quantified research and specific sources to support claims about security vulnerabilities and solutions. “They can get this with some help from a proper business analyst or the project management office,” says Santora. This is better than a lot of opinion from information technology security that is not argued using specific facts.

Yes, roughly a half dozen tips, tools for the board, c-suite and for information technology security are a great start to get everyone on the same page with the real issues and the most effective solutions.