With data breaches regularly marking the headlines, it is no surprise that digital threats constitute an increasingly significant concern for the C-Suite and cyber security experts. What is surprising, however, is that these two groups don’t seem to share the same view of information security. They have different opinions when it comes to the digital threat landscape in general as well as their organization’s level of preparedness in particular. This disconnect has become apparent across numerous studies. Let’s examine a few below:
In February 2017, BAE Systems found that just over a third (35 percent) of C-Suite executives believed their IT teams were ultimately responsible for addressing a data breach, whereas half of IT decision makers thought this responsibility resided with senior management and leaders. These employees also differed in their estimations surrounding the cost of a successful digital attack, with IT decision makers’ guess ($19.2 million) almost twice as much as that of the C-Suite ($11.6 million). Additionally, while 82 percent of IT teams felt that cyber security spending was part of a comprehensive strategy, only half of the C-Suite believed this to be the case. More than a year after BAE Systems’ research came out, Varonis discovered that this disconnect dividing the C-Suite and cyber security executives was alive and well. Its 2018 research specifically uncovered a divergence in what the two groups thought was the most significant business impact of a data breach. The C-Suite thought it was the cost of recovery, while the cyber security experts felt it was a loss of brand image. Also, while more than 90 percent of IT and security professionals felt their organizations were making progress in security and were using a cyber security approach that aligned with its business interests, only around 70 percent of the C-Suite expressed the same view. These differences of opinion matter when it comes to formulating a cyber security strategy. That’s because these disparate viewpoints are fundamental to how the C-Suite and cyber security experts relate digital risk to organization. While the cybersecurity folks are speaking in terms of exploits, vulnerabilities and incidents, non-technical audiences do not always follow along. In simplified terms, executives who are making decisions for the business are looking at either revenue-generating objectives or risk to generating revenue. Technical cyber security is not something that generates revenue, so it is not something that is easily understood by the C-Suite in terms of budget allocation. This hinders communication and, by extension, the formulation of a unified strategy across the organization.
Enhancing Cyber Security Speak at the Workplace
The best way to close the communication gap between the C-Suite and cyber security experts is to get them on the same page. As with any relationship, when two different entities are trying to come together, they need to first speak the same language. In order to do so, the security teams need to understand the objectives of the business and how they can best help the business attain their goals in a secure manner. This can be as simple as having a regular dialogue. When either party says something about their respective fields that the other does not understand, they should not be ashamed to ask for clarification. Sometimes the best way to explain something is to use a simple example that everyone can relate to. Together, the C-Suite and cyber security experts can then use this understanding to effectively distribute information security expertise across the organization. Such a plan should emphasize the common user, who has some security awareness. It is up to organizations to take advantage of this awareness by effectively communicating the risks to the business and how their users fit into reducing the risk of their organization. Instead of having security operate as its own independent business unit, each business unit should be looking at how they can embed security controls into their processes and procedures. Let us look at an example. If someone in the organization wants to get some work done remotely, they should be discouraged from sending confidential data to their own personal e-mail accounts. Instead, they should have a secure way to access their work through an encrypted corporate laptop or a virtual desktop. Emphasis here should be placed on the user experience so that the users are not burdened by security such that they feel the need to circumvent the security process to get their work done. If security is not enabling the business to be successful, employees will overlook any and all of these security measures.
A Joint Collaborative Effort Between C-Suite and Cyber Security Experts
For cyber security to receive the attention it deserves at the organization level, two things need to happen. First, C-Suites need to listen to Dark Reading’s advice and lead the charge. This means taking ownership of the organization’s digital resilience and creating a top-down approach by which the organization can address and manage its cyber security risks. Second, as part of this strategy, those in cyber security need to make sure that they speak the language of risk so that they can effectively communicate new concerns to the C-Suite. As explained by one of my colleagues in a previous post, such effective communication will help make finance, HR, marketing and other departments that manage sensitive data more receptive to implementing security measures. This will, in turn, improve the organization’s overall security. To learn more about achieving better collaboration between cyber security experts and c-suite, read our "5 Tips for Communicating Information Security to the Board" guide.
