Ask CISOs to prioritize the skills they require to excel in their work, and a sizeable number will put talk before tech. Bi-directional communication — and its role in creating world-class cybersecurity programs — is a reoccurring theme in security workforce surveys and similar research. At the 2017 CyberCrime Symposium, featured speaker Summer Fowler tapped into influential security studies by ISC2, SANS, and Carnegie Mellon University (CMU) to spotlight the communication breakdown that characterizes interactions between CISOs and their senior leadership.
Can this marriage be saved? It can, said Fowler, technical director, cybersecurity risk and resilience at Carnegie Mellon’s Software Engineering Institute, who detailed problem areas — from reporting structures and board behavior to lost-in-translation jargon — that prevent CISOs from effectively communicating with business leaders.
CISOs need to become bilingual, as fluent in business-speak as they are in tech-talk. Meanwhile, business leaders should address common hurdles and work on their own communications skills. Only then can CISOs answer ongoing business questions, convey the critical role security plays in resilience and outcomes, and work toward security-business alignment. “Those of us in information security are generally really bad at translating technical jargon into the business language that senior management understands,” said Fowler. It’s one of the most difficult pieces of the cybersecurity puzzle, because “we aren’t known in this field for being good communicators.”
Without fluency in the business lexicon and no standard cybersecurity taxonomy to draw from, CISOs “can’t convey information that’s important to the business in a way that drives desired behavior and supports decision-making,” said Fowler. This problem’s amplified during a cyber-attack, when bad communication hinders rapid response and mitigation.
Acknowledging the Problem is the First Step
At least CISOs acknowledge the problem and can take some corrective action. Fowler pointed to an ISC2 infosec workforce survey, which asked security practitioners to rank the most important contributors to success in their role. Of 14,000 respondents, 90% gave top honors to communication skills, which beat out technical skill and security threat awareness. Also noteworthy, she said, was a recent SANS survey of security specialists, who named communication the leading soft skill in effective security awareness programs.
If business leaders refuse to address communication barriers — reporting structures, for one — even bilingually gifted CISOs can’t build a world-class, business-centric cybersecurity program. When CMU and SINET surveyed Fortune 500 CISOs in 2016, they found that more than 70% reported to CIOs, when they should be reporting to a chief risk officer or directly to the CEO, said Fowler. Further, only 20% of CISOs report annually to their board of directors, while the majority get no guidance on their organization’s risk appetite from top executives and board directors.
Since cybersecurity is a risk-management issue, the current frequency and quality of stakeholder communication puts resilience itself at risk. While board directors surveyed by NACD say cybersecurity is a top-five concern, only 19% believe their boards have sufficient knowledge of the landscape.
There’s so much uncertainty surrounding cybersecurity that board directors are seriously considering if they need to bring their CISO or a similarly titled security to the table. The fallout from breaches, combined with this uncertainty, has spurred elected officials to introduce hundreds of cybersecurity bills. One, which targets the boards of publicly traded companies, was ready for hearings in late 2017. The Cyber Security Disclosure Act would require SEC filings to disclose whether corporate boards have any members with cybersecurity expertise.
“The government’s stepping in on this one,” Fowler joked. “I think it's a good move, but I'm not sure how it will play out.”
Measuring Up: Metrics and More
To close this knowledge gap and raise their game, CISOs should strive to answer cybersecurity questions in ways that resonate with business leaders.
Fowler advised attendees to get answers through cybersecurity metrics that “speak” to executives. They’re relevant to that audience, free of technical jargon, tied to a business risk, and provide insight into the business impact of cyber-centric activity.
“Metrics are good for answering cybersecurity questions,” said Fowler. “Business leaders like information captured in numbers, because they can quickly determine what actions to take.”
This is the eighth post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!