Make Your Leadership Team Cyber-Smart
November 13, 2020 by Becky Metivier
As cyber threats continue to escalate, community leaders are becoming increasingly interested in cybersecurity and risk management. This is no surprise, as they are ultimately held liable and responsible should an incident occur. And it’s important because leadership sets the tone for the rest of the organization. They must lead by example when it comes to cybersecurity and actively participate in, and be supportive of, the mission to be secure. As such, cybersecurity has made its way onto the agenda of many leadership meetings.
Presenting to the leadership team is a great opportunity for information security leaders because they set policy and approve budgets. But it’s also challenging because cybersecurity can be an overwhelming subject.
There’s lots of mystery and complexity when it comes to cybersecurity, and if you don’t unravel some of that, leadership can’t possibly be aware of the risks they are facing or make informed decisions. That’s why it’s important to understand who you’re talking to and their level of expertise. Then speak to that understanding … plus a little bit more. If you can, try to make a personal connection for them. Presenting information relevant to them will drive interest and buy you more time at the table. And don’t forget if you’re using graphs, make sure they are clear and easy to understand.
Building a Foundation
Ultimately, leadership needs to get a basic education in cybersecurity. It’s up to you to provide them with the information they need to know, so they can understand everything else. They simply can’t wrap their minds around things they can’t understand. If they don’t have a foundation, the rest of the subject matter is going to be very difficult to understand. It's very important they understand because you want them to approve the resources you need and the budget you want.
Here are a few topics that can help you build that foundation.
#1. Roles & Responsibilities
First of all, describe to the leadership team your organization’s approach to cybersecurity. How it aligns with your strategic goals. How it supports them. You may find that in any discussion, security will seem like a roadblock that’s getting in the way of creativity and innovation, rather than supporting it. You need to show them this is not the case if security is part of the strategic conversation from the very beginning. Alignment can happen!
You should also speak to governance and oversight. Who should they be watching? How do these functions relate to cybersecurity risk? How do the roles interact? How are we sharing information between departments and functions? How do end-users participate in the program? They need to have a holistic view of the entire organization in terms of cybersecurity.
#2. Build Cyber Risk Awareness
Next, include information on the primary risk areas facing your organization. You should consider taking a “deep dive” into a particular topic at each presentation:
- Adversaries you’re facing and common attack vectors … especially social engineering
- Mobile device proliferation and the increase in mobile malware
- The ever-increasing complexity of malware and why it’s difficult to detect a breach
- Assets (data and infrastructure) and access to them
- Disruptions of operations from a security incident or emergency/disaster event
#3. Timely Real-World Information
Let them know what’s going on in the threat environment. You can also include information on trends and future analysis. There is a wealth of great documents out there, including the Ponemon Cost of Data Breach Study and the Internet Security Threat Report from Symantec.
Share relevant “wins” for the good guys. It helps to buoy their spirits. Let them know it’s not all doom and gloom, that there are some positive things going on as well.
Be sure to touch on what your peers are doing as well. This information can be gained from industry events, trade papers, etc. Consider making some friends in your neighbors and comparing notes. Your entire sector can really benefit from this collaboration.
#4. Expectations and Feedback
It’s important to always seek feedback regarding the tone and value of content after each presentation. Over time you’ll be able to go a little bit deeper into everything because they’ll have more knowledge. Ask them what they want to learn more about. Remember interest will drive awareness.
You should also set expectations. Let your leadership team know what information you’ll be bringing them and why it’s important. Then let them know how they should participate in the program.