Socializing Cyber Security to Staff & Leadership
February 23, 2021
A challenge with IT Security is communicating real risk to leadership and users in a way they understand, that also moves them to action (e.g. giving budget, or not clicking a malicious link in an email).
The foundation for this discussion is that business risk decisions are not technical decisions. This needs to be considered when a Chief Information Security Officer (CISO) wants to apply a security control or restrict a user behavior.
With a business decision, we must ask: what are the potential impacts to this control? What risk is it reducing? What would that impact be to the business? Are users going to work around this control and do something even riskier?
A CISO’s role is similar to a General Counsel, where we provide guidance to manage a risk. We provide the facts and information to help the business make risk-based decisions. And the senior leadership needs to understand they have four options: mitigate, accept, transfer, or avoid that risk.
You will have many risk-based discussions, so here are two fundamentals to consider:
- What works for one doesn’t work for all.
- Maturity levels and risk acceptance levels vary by organization or an individual.
- You are talking to individuals, and each has their own goals, incentives, currency, and biases.
- These incentives may be financial, reputational, competitive, ego-driven, aspirational, or ethical.
When talking specifically to leadership, there needs to be a baseline set for future discussions:
- What does success look like?
- “Everything working?”
- “Are we making money?”
- What does failure look like?
- “Were we hacked?” — what does that really mean?
- How do we measure each?
When talking to anyone in the organization, keep these two things to keep in mind for success:
- DON’T push FUD factor (fear, uncertainty, and doubt)
- This doesn’t work, it never worked; it might get their attention, but never ultimately leads to long-term buy in.
- DON’T focus on technology challenges or benefits
- They won’t understand, and that shouldn’t be your strategy anyway.
Instead, use these core strategies:
- Remember you are talking to people, not a “corporation.”
- Know your audience. What are their backgrounds, interests, and their motivations?
- Know your company, what it does, how it makes money, who its customers and partners are, what the culture is, and what a “bad day” looks like.
- Know what your competitors and peers are doing in this area.
- Know your industry and its regulations.
- When considering threat scenarios, use threats and risks to business processes, not technical threats.
- Don’t let an incident or crisis go to waste.
- Realize the approach that works for you this year might not work next year. Management got smarter (you educated them), so you need to go further.
Lessons in Effective Communication (Courtesy of Dale Carnegie)
There was a book written in 1936 called How to Win Friends & Influence People by Dale Carnegie. It’s something most business students have read, but not a lot of IT people know about it. This provides a guide for good communication within the business context. It’s also a foundation for good customer service, which is a skill CISOs need to have.
The book has three main sections of interest:
Three Fundamental Techniques in Handling People
- Don’t criticize, condemn, or complain
- Give honest and sincere appreciation
- Arouse in the other person an eager want
Six Ways to Make People Like You
- Become genuinely interested in other people.
- Remember that a person’s name is, to that person, the sweetest and most important sound in any language.
- Be a good listener. Encourage others to talk about themselves.
- Talk in terms of the other person’s interest.
- Make the other person feel important – and do it sincerely.
Twelve Ways to Win People to Your Way of Thinking
- The only way to get the best of an argument is to avoid it.
- Show respect for the other person’s opinions. Never say “You’re wrong!”
- If you’re wrong, admit it quickly and emphatically.
- Begin in a friendly way.
- Start with questions to which the other person will answer “yes.”
- Let the other person do a great deal of the talking.
- Let the other person feel the idea is his or hers.
- Try honestly to see things from the other person’s point of view.
- Be sympathetic with the other person’s ideas and desires.
- Appeal to the nobler motives.
- Dramatize your ideas.
- Throw down a challenge.
Defining & Measuring IT Security Goals
So now that we have tools to communicate more effectively, what is our goal? We return to the baseline discussion at the top of the article: Defining success and failure factors. In a comprehensive IT security program, they would include what we are doing well, or poorly, in the following areas:
|End user impacts||Responsiveness to incidents||Comprehensive coverage & visibility||Resiliency|
You must be able to provide information on where the organization is in these areas and where we want to be. If there is a gap, what is the roadmap to get there?
Once we have the engagement, support, and right information to develop our program, how do we measure the success, and build in constant improvement? IT Security is a journey, and not a destination. Technology, culture, threats, bad actors, competition, regulation, business scale, all change over time – sometimes very quickly.
So here’s what we need to answer to guide the IT Security journey:
- Are we compliant to everything we need to be?
- Have we had any downtime that affected business? Is our environment resilient to outages or attacks? How are we measuring that?
- Do we know all the systems on our infrastructure? Can we see them and/or know their state?
- Have we had any business impacts due to security incidents? Have we been responsive to incidents?
- Are our users able to do their jobs effectively and securely (without having to go around controls)?
- Is our security visibility comprehensive to monitor all areas of the business and infrastructure?
- Have any safety impacts happened due to IT incidents?
- Are staffing levels at appropriate level?
- Where are you on budget? Is budget at the appropriate level?
- What do we need to get better?
And finally, one last quote to close it out:
“There is a tendency in our planning to confuse the unfamiliar with the improbable.” -Thomas Schelling, professor and Nobel Prize-winning Cold War economist
Business executives might not have experienced an incident (that they are aware of), but they are bombarded with FUD marketing from the cybersecurity industry. They are seeing conflicting information to know what is real, what is probable, or what is a black swan event — as opposed to a common occurrence that just hasn’t happened to them, yet. It is the CISO’s responsibility to build leadership’s trust and provide them with good information to assist them in making good risk-based decisions to protect the organization.
You can watch author Rick Doten present this information as part of TSG’s Technical Webinar Series.
Meet Rick Doten
Rick is VP, Information Security at Centene Corporation, and CISO of Carolina Complete Health based in Charlotte, NC. Rick supports both the NC health plan and corporate Centene in a cybersecurity leadership role.
In his prior role, Rick worked as Virtual CISO supporting international companies. Rick also developed the curriculum for a Cybersecurity Master’s degree program for Monterrey Tech University.
Rick is an avid speaker at cybersecurity conferences, and he has been cited in numerous industry publications, is a frequent guest on podcasts, and appeared on television commenting on issues relating to cybersecurity and risk management. He is a member of The CyberWire Hashtable, part of the editorial panel of the Council on Cybersecurity Critical Security Controls, and the lead author on the newest version 8 of the Controls.
Rick ran ethical hacking, incident response and forensics, and risk management teams throughout his 25+ year cybersecurity career. Previously, Rick was cybersecurity practice lead for a private intelligence and security firm, was CISO at a multi-national US company, and has held positions as a Risk Management consultant at Gartner, Chief Scientist for Lockheed Martin’s Center for Cyber Security Innovation, and Managing Principal in the Professional Security Services practice at Verizon.
When not thinking about cybersecurity, Rick practices and teaches Yoga, and is always seeking out good restaurants and food trucks wherever he goes. Connect with Rick on LinkedIn.