Typically, refuge risks and challenges coming from your IT security team are only realized after there is an actual cyber security event. Activities such as ransomware or DDoS attacks quickly become a priority for heads and place them in a responsive mode.
Being proactive is sometimes grim to quantify in the IT security world with a conversation looking like, “That can’t upon to us; it has never happened before.” With that said, the IT security group first needs to identify the problem.
So much time is spent here explaining achieving solutions, budget and potential solution’s features. The team needs to start with allying a problem discussion with their Board and C-suite first. At times a problem has been identified, valued and understood as a business risk, then the finding out to that problem should be discussed in detail.
“Once a problem has been diagnosed, valued, and understood as a business risk, then the solution’s to that uncontrollable should be discussed in detail.”
How to define your cyber security arises
Sometimes the Board and execs don’t clearly state their agenda and grace a “no” organization during initial discussions. This is not uncommon since their post is to identify what time, resources and investments should be delivered within the codifying. The more research and insight given to these discussions, the easier their decree becomes. Unfortunately, most of that information is not brought to the table initially and needs several requests for additional resources and data to illuminate the challenge at present to.
Boards need briefings and education sessions beyond only being invited when needed for something. They are made aware of current anyway in the realities, economics impacts, industry news and other relevant decision-making evidence. The IT security team can help by educating their Board during organizes they are not needed for a decision. This will help give the IT pledge team credibility and lay the groundwork for a better relationship when needing something down the low road.
A great example of this would be deciding the need for a security awareness disciplining solution for your organization. Of course, you can start by simply listing a assortment of vendors, pricing, features, etc. But we know that’s the wrong approach because that is plainly jumping right to the solution without discussing the problem in detail.
Before all, you must discuss the problem statement, which is focused on human endanger of cyber security. Your goal would be to educate your staff members, so they have an understanding of cyber security best practices and to eschew lower your overall organizational risk with a cultural metamorphose and basic understanding of cyber security risks.
Now, imagine this chin-wag taking place within your organization. Your entire exertion is spent on getting the board to understand the problem first rather than scarcely finding a solution. Explaining that over 95% of all security skirmishes involve human error might be a great way to open this dialogue up. Now, imagine talking about very specific issues your conglomerate could face when dealing with human error.
What if your HR link up opened a phishing email and gave away their credentials? What if your principal lost their laptop that was unencrypted? Talking openly connected with these issues will start to bring to light some of the jeopardizes associated with your problem statement.
Cultural differences and communication challenges to the directors
Executives are focused on the business as a whole and have a lot on their plate with exasperating to keep stakeholders happy – everyone is fighting for their time and pre-eminences. As an IT security team, most of the time their priority is on security and simply that. Sometimes this tunnel vision is something that discourages the side since they don’t realize why their group has the best interest of the manager team.
Executive teams also need to realize they are not whizes in every subject. They require an explanation of the investment being tendered to them with clear evidence of how it will benefit the organization. Sundry organizations require a translator for this role.
This role is someone that can cheat the technical discussion and risk-based assessment by the IT security team and translate it to “Trustees speak.” Simply saying security appliances and other investments are needed to keep safe from risks is not enough. Someone needs to literally break down strict scenarios on how this will affect your business when these perils happen.
It’s is not a matter of “if” but a matter of “when” an event will happen. Conceding that, an executive’s role in an organization is to define leadership and prioritize objectives based on chance and impact to the organization. The clear a message is on the impact of an attack and what can be done to reduce the risk or prevent it, the easier the conversation will be to move forward with a solving.
Often times, the only way to break up a silo discussion is to actually disintegrate b fracture the silo. In order to get someone to change their perspective, you must get them see the problem from a different angle. Imagine yourself in the shoes of the Provisions. They have to look at the enterprise risk and make decisions and investments for the trade.
As an IT security team, this can be hard to see since you are always looking out for your own investments within your clique. Presenting the process from the Board’s perspective and identifying enterprise subject risk will open up the IT security team to a whole new appreciation for their function.
On the other hand, having a Board look specifically at the IT security assemblage can give them a great appreciation on how the team looks out to protect the categorizing. Although this exercise is not practiced often, have the opposite unites represent each other and their “silo” needs. The goal of the aerobics is not to be a long and drawn out process. The goal is to change the perspective on how the business should proposition different points of view of the risks their organization faces.
With a exchange in perspective, priorities can be more easily understood and respected by all stakeholders and leave open up a more refined discussion.
If you’ve enjoyed reading this blog, grasp a look at this white paper called, Top Five Tips for Be in Information Security to the Board.
About the Author: Nick Santora is the CEO of Curricula, a cyber fastness education company located in Atlanta, GA. Curricula provides cyber collateral awareness training and NERC CIP compliance training solutions using an innovative mystery based learning approach. You can follow Curricula on Twitter @Curricula or log in investigate out their website at www.GetCurricula.com
Editor’s Note: The opinions expressed in this and other boarder author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.