How to cross the cybersecurity chasm

By François Gratiolet
|
In order to ensure that cybersecurity is not perceived as a burden, but rather contributes to the evolution of a corporation, it is essential to incorporate cybersecurity into business. However, board members and cybersecurity executives still have difficulties to understand one another.

The gap between business leaders and cybersecurity specialists

A recent study done in 2016 by The Economist Intelligence Unit “How the disconnect between the C-suite and security endangers the enterprise” highlighted the distance between those responsible for business and those responsible for cybersecurity.

It revealed significant gaps in the perception of risks and cyber threats, the assets to be protected, and data governance issues. If reputation is the first element to be protected for company executives, it is the regulated data that is the main concern of the cybersecurity stakeholders.

In this context, how can organisations achieve effectiveness of their cybersecurity program?

Develop a common language

On the one hand, boards must have adequate access to cybersecurity expertise, and their discussions about cybersecurity risk management should be a regular part of each board meeting agenda with sufficient time slot. In addition, board engagement regarding cybersecurity matters should not be restricted to yearly reports.

On the other hand, cybersecurity specialists like any other subject matter experts must be able to communicate effectively with board members and other business leaders. Meetings between CISOs and board members mean nothing if experts and directors speak their own jargon and are unable to understand one another.

For example, rather than referring to technical and barbaric terms such as ISO 27005, APT (Advanced Persistent Threat) or IoC (Indicator of Compromise), cybersecurity executives, who want to persuade the management of the company to take new steps, will be listened carefully if they present figures at a level and in a format that is understandable by non-specialist directors.

Master the art of metrics

Therefore, assessments of cybersecurity or budgeting should be expressed using metrics that objectively and unambiguously give scores of risks, cybersecurity performance, reward, cost and benefit.

For example, cybersecurity rating is a simple and smart way to demonstrate the effectiveness of cybersecurity measures. Such a rating is expressed with a number and/or with a letter. Board members and cybersecurity specialists can continuously monitor the cybersecurity performance of their organization, their subsidiaries or their network of vendors.

Ratings also make it possible for executives to compare their organisations with their peers in the same industry, to pinpoint their cybersecurity issues, to better priorize efforts and allocate resources adequately. If executives have evidence that their company is lagging behind their competitors, it is more likely that cybersecurity budget will be bigger.

Tomorrow, because of the cybersecurity rating’s simplicity, sharing cybersecurity posture between board members and cyber experts will be easier than ever.

With the use of such a scoring system, the cybersecurity chasm between board members and cybersecurity professionnals will be definitively crossed.