Recently I blogged about how cyber risk management is moving “from the server room to the board room,” and shared senior executives’ top security concerns based on recent client engagements. In this follow-on post, I’ll discuss the key driver for this maturation process: effective communication from the CISO to the CEO and other top executives, and then vertically to the rest of the organization.
Just as with other lines of business, communication and knowledge are everything in today’s security game. A CISO needs to give the CEO the information he or she needs to make cyber risk-based decisions that drive the organization toward its goals.
In making these decisions, CEOs must have sufficient knowledge and understanding of cyber risk to balance convenience and governance. You can’t just embrace the convenience of new technology like mobile devices, for example—you need to consider how you’ll govern it from cost, legal and security standpoints.
“In my direct experience, the businesses that have good communication up, down and across around their CEO are the ones that survive cyber-attacks best.”
Leveraging 21st-century conveniences/automation takes a 21st-century governance model where security is baked in. That starts with “tone from the top,” and that starts with communication.
Security isn’t about preventing malicious events. It’s about understanding the risks and implementing proper controls. At the C-level, that requires an understanding of who your adversaries are, what your business needs are, and what your customer demands are—and then finding that middle ground where convenience and governance are in balance.
This is where a CISO’s communication skills come into play. The more effectively the CISO is able to “bridge” communications between the IT section, the Disaster Recovery/Business Continuity section and the Audit section, the more the CEO will truly understand cyber risk and the stronger the organization’s security posture will effectively be.
Lateral communication between the CISO to the CEO is vitally important—but so is communication down from the C-suite to those who will implement the executive guidance. To communicate effectively, today’s CEO must be aware on a daily basis of cyber threats. He or she needs to know which threats are most important to address first, which can be mitigated, which can be transferred to a third party, and so on. This is the basis for the ongoing direction the CEO must provide.
It might sound trite, but communication to and through the CEO about cyber risk is more important now than ever in the past. Why? Because the stakes are so high.
In my direct experience, the businesses that have good communication up, down and across around their CEO are the ones that survive cyber-attacks best. In companies where seem to feel that cyber risk is “not my problem” (which includes widespread denial of risk), when the attack inevitably comes the bottom really falls out.
When you hear a CEO say, “We’re accepting the risk,” there’s a world of difference between fully understanding that risk and all its implications vs. someone putting their head in the sand—and you see that difference in what happens when threats manifest.
Does your organization have the senior security leadership it needs to drive effective communication and optimally address cyber risk? Many organizations are struggling to find the CISO skills they need today. Pivot Point Security offers a suite of virtual CISO (vCISO) service offerings designed to be customized for your specific needs.
Contact us to start a conversation with a vCISO expert on what an ideal vCISO relationship would look like for your business.