- The threat landscape is changing fast and businesses must prepare for emerging risks.
- Poor communication between IT professionals and C-suite executives can lead to cybersecurity risks being overlooked.
- For cybersecurity to be truly effective, it needs to be part of an organization’s culture.
Board members and C-suite executives routinely face the challenge of managing business objectives while keeping investors and shareholders happy. Their priorities are focused on business goals, such as increasing the company’s profitability, staying ahead of the competition, looking for the next innovative idea, encouraging employee engagement, and being able to pay dividends to shareholders in a harsh and challenging business climate. Their brains are wired to look at things through a business lens.
Unfortunately, this doesn’t bode well for cybersecurity professionals, whose approach tends to be more narrowly focused on technical goals. Many don’t take the time to understand how they can make their goals align with the company’s overarching strategic objectives. As a result, IT professionals are often unable to demonstrate the net business impact of potential security risks. For this reason, security needs often fly under the radar of executives and board members, only coming under discussion when a major situation has occurred.
Within many companies, the lack of communication that stems from the inability to understand the connections between the technical goals of a company and its strategic aims has led to a major divide between the board and C-suite executives and members of the cybersecurity team. But this does not have to be the case.
Cybersecurity is not a technical problem, it’s a business problem
The threat landscape is changing fast, making it difficult for organizations to stay ahead of today’s emerging risks. Many companies think the answer to this challenge is to throw more money at the problem and implement various security solutions in an attempt to prevent attacks.
However, cybercriminals are generally successful not because their attack methods are so sophisticated that they fool security solutions, but because of fundamental corporate security issues that remain unaddressed. Examples of this include problematic behaviour by end-users (e.g., failing to spot phishing emails), lack of security in the supply chain, and procedural failures where employees might have the right technology at their disposal but aren’t monitoring the right alerts or are unable to correlate events to take the right action.
At its core, therefore, cybersecurity is not a technical problem – it’s a business problem and a behavioural issue. Organizations need to adopt a different approach to security, one which understands that the goals of both IT teams and company executives are interconnected. Security goals and the strategies to meet them need to be set by top leadership, and specific security objectives should also be built into staff performance goals and supplier performance measurements to drive behavioural change. Implementing effective security programmes and improving the security awareness of both employees and partners can help companies better protect their assets and information and avoid the fall-out from breaches, helping them meet their business objectives.
Bridging the communications divide
So how can this be accomplished? To overcome the communications divide between IT and executives, there needs to be active dialogue and continuous engagement between the two parties. More specifically, IT teams must educate board members about the potential business impact of security breaches and help them understand that security goals and business objectives can be strategically aligned.
Before they can accomplish this, however, cybersecurity personnel need to take the time to understand business strategy and objectives and develop a security strategy that supports these. Demonstrating a clear link between security and business goals will go a long way towards ensuring that the board and C-suite executives both understand and will be willing to approve initiatives to enhance corporate security.
At the same time, board and C-suite executives also need to communicate their security concerns and priorities to cybersecurity teams. It is important that they understand that IT professionals have a technical perspective, and they need to provide them with strategic guidance and support while clearly communicating the company’s business goals. And, perhaps most importantly, they need to accept that poor security is, in fact, a business problem and set their priorities accordingly.
One last tip to keep in mind is that cybersecurity teams should provide half-year and annual information security reports to company executives that demonstrate how agreed-upon security objectives have been executed, and how they have supported business strategy. This will help both the board and company executives see where the security budget is going, and the return on investment that the business is seeing as a result.
Damaged but not broken
Cybersecurity teams and executives within many companies are often at odds when it comes to priorities and goals, causing a tremendous disconnect that leaves companies divided. But while the relationship may be damaged now, it’s not broken – and it can be fixed.
As with any relationship, before attempting to fix the communications process, it’s important that both parties agree that the current method is not sustainable. Each must make an active effort to change their approach and understand the other side’s perspective.
Culture of cybersecurity
In his book Culture Rules!, John Childress says, “You get the culture you ignore”.
For cybersecurity to be truly effective, it needs to weave its way into the fabric of the organization’s culture. Communication is the first step in bridging the gap. This includes transparency and normalizing discussions of challenges, errors, or misconceptions.
With a little give and take from both sides, it won’t be long before these one-time opponents become the best of teammates working towards aligned business and security goals.