October is Cybersecurity Awareness Month and Halloween is just around the corner so it seems fitting to explore one of the most frightful dimensions of cybersecurity: executive support.
When I was seven or eight, like other imaginative boys, I was convinced there was a monster under my bed. Once the lights went out, I would do everything possible to ensure my feet didn’t contact the floor and wake the monster. The fear wasn’t rational, of course. I never saw a monster. Nevertheless, I had convinced myself there was a monster under the bed and responded accordingly.
Now that I’m older and wiser, I know better than to let irrational fear control my actions. But as a cybersecurity professional I often see scare tactics used to motivate senior leaders into action – albeit unsuccessfully. This tactic usually fails because fear isn’t an effective motivator for sustained action, like supporting a cybersecurity program. Fear is best at activating our fight-or-flight response so unless your organization is currently experiencing a cyber-attack, fear is unlikely to motivate senior leaders to create or invest in a cybersecurity program. The timing and implications of a possible future cyber-attack are just too abstract to trigger an effective response. As cybersecurity professionals, we know that “monsters” exist – they are Conti, L0pht, APT29, skiddies and countless others that we read about every day in news reports, but they are under someone else’s bed.
“. . . we know that “monsters” exist – they are Conti, L0pht, APT29, skiddies and countless others that we read about every day in news reports, but they are under someone else’s bed.”
So, what are some effective ways to motivate your organization to take steps to improve your cybersecurity program?
Become An Influencer
Taking a page from Andrew Carnegie, “No one likes to feel that he or she is being sold something or told to do a thing. We much prefer to feel that we are buying of our own accord or acting on our own ideas.” Neither finger-wagging nor cultivating FUD (Fear, Uncertainty and Doubt) around your organization’s cybersecurity posture is likely to be effective as establishing good relationships. Unfortunately, when many senior executives look in the window of their IT departments, they see propellor heads. It’s up to middle and senior IT managers to truly understand the business’ goals and the role they play in the processes that support them to establish some middle ground.
This is not a quick process – it takes time to invest in a relationship with senior leadership and build trust. Start out with the proverbial “elevator pitch,” a one- or two-minute stump speech on what’s important to you that day in cyber. Cite current events specific to the cyber and the industry and avoid technical jargon. Avoid adversarial language like, “they, them” or “the business” and “operations,” using “we” instead to demonstrate a cooperative approach. Is there an influential contact inside or outside the organization that can help start the conversation? Before long, you will have a coalition of supporters talking about cyber risk and ready to invest in your program.
Communicate Value
Provide regular feedback on the organization’s critical cyber risks. Senior leaders are most concerned about the “A” in CIA triad (Confidentiality, Integrity, Availability). Explain how critical risks to availability can impact business processes and relate it to how those processes generate income. Report on any close calls or recurring short outages that could lead to something major if not addressed comprehensively. This can be done through monthly or quarterly reports to senior leaders, in non-technical terms with a two-fold focus on their value to the business. First, what is the value gained by investing in cybersecurity – will those investments open new markets? Second, what is the value lost to a service disruption – considered in real dollars and reputation?
Imitation is the sincerest form of flattery. If the CEO and other senior leaders are receptive to how financials and audit reports are presented, take a page from those value centers and present cyber risk information similarly.
Benchmarking
Keeping up with the Jones’ isn’t just a suburban phenomenon. Benchmarking is a way to compare aspects of one organization with another. There is a growing list of third-party security assessment tools available including Security Scorecard, BitSight, CyberVadis and OneTrust that objectively rate the security posture of two more organizations from publicly available information and services. Some tools use a letter grade (A-F), and others use a numeric score to report the findings. Most vendors are happy to give you the score and an executive summary of your own organization. The same cyber risk profile data is available to subscribers of the service including customers and competitors making this valuable information to senior leaders of any organization. Becoming a paid subscriber will get you access to detailed reports on yours and other organizations to compare side by side. It’s always a good idea to know your security posture but a poor grade on the assessment platform can spell trouble for your organization’s reputation even if it never experiences a cyber-attack.
“. . . a poor grade on the assessment platform can spell trouble for your organization’s reputation even if it never experiences a cyber-attack.”
Never Let a Good Crisis Go to Waste
Fear can still an effective tool once an event like a cyber-attack has occurred. Once the dust settles from the incident, senior leaders will have some questions about how such a situation can be avoided in the future. Make sure you have a “break glass” budget with an accompanying plan ready for such a rainy day. The budget should include wish list items not approved in the regular budget and focus on areas with critical information assets that could benefit from additional safeguards. For example, if your organization has an effective anti-malware solution, consider adding a behavioral monitoring component or endpoint detection and response (EDR). You might have a syslog server already, but security incident event management (SIEM) can provide critical event correlation and alerting.
Whichever approach gets you traction, an effective cybersecurity management program requires active support from executive leaders and stakeholders. By applying a proactive, consistent, risk-based effort, your senior leaders will see the value proposition and your organization’s information assets will be better protected.
If you’re interested in learning more about how to build or improve your cybersecurity management program, contact me at info@southlakecyber.com or call 352.936.1886.
