This blog post was first published on December 6, 2016, but has been updated in August 2019 to reflect some new high profile breaches that have occurred after the original date of publication.
One of the biggest disconnects between IT Security and the C-Suite or the Board is that IT Security until a few years ago were “Two guys in the closet manning the Firewall”. With Target, Home Depot Equifax, Capital One and other very high profile cyber breaches, the C-Suite and the Board are taking notice of the IT Security issues but they don’t understand the mumbo-jumbo of what the IT Security Professionals are telling them – I want a firewall, IPS/IDS, SIEM, DLP, etc. IT Security folks have to change their ask so that the C-Suite and Board can understand. C-Suite and Board understand Financial language and Risk. IT Security folks have to educate the C-Suite and the Board as to the impact of Cyber Threats – Reputational Risks (TJ Max, Home Depot), Financial Risks (impact to earnings per share – Target), Regulatory Risks (civil penalties imposed by the government (Presbyterian of New York, Anthem Insurance), or even outright customer embarrassment (such as in the Ashley Madison breach).
Speak the language of risk management, not technical jargon
From the top down, Board members and the C-Suite ask for specific concerns, financial impact, risks, and it may give IT security team the impression that senior management only wants to make money and that they don't understand IT security issues. Other than cultural differences between these two extremes, the language differences are paramount in the communications breakdown. They don't understand each other's jargon and of course each other's priorities. IT Security needs to spend the time and effort in explaining to the Board and C-Suite specific details that will allow the Board and C-suite to understand the implications of not doing enough when it comes to IT security. Some examples are: - Management should treat this expense as "insurance" to protect the company from a breach.
In order to prevent communications breakdown between IT Security and C-Suite, IT Security should recommend the level of protection needed and the corresponding cost involved. More the protection, more the cost. Every company does not need the highest level of protection - it depends on the business, confidentiality of customer data, etc. IT Security can specify risks involved if any of the specific security actions are not taken. IT Security should explain the amount of work that the C-Suite may themselves have to undertake in the event of a breach - e.g. government communications, fines or penalties, customer communications, public relations cost and effort to manage reputation damaged because of a breach, and so on.
Assess the risks to the organization
In summary, IT Security folks have to assess the risk to the organization and breakdown their budget requests that map to the risks to the organization so that the C-Suite and the Board can understand and take decisions to mitigate these risks to their organization.