Any modern security expert can tell you that we’re light years away from the old days when firewalls and antivirus were the only mechanisms of protection against cyberattacks. Cybersecurity has been one of the hot topics of boardroom conversation for the last eight years, and has been rapidly increasing to higher priority due to the size and frequency of data breaches that have been reported across all industries and organizations.
The security conversation has finally been elevated out of the shadows of the IT Department and has moved into the executive and board level spotlights. This has motivated the C-teams of organizations everywhere to start asking hard questions of their Chief Information Officers, Chief Compliance Officers, Privacy Officers, Risk Organizations, and Legal Counsels.
Cybersecurity professionals can either wait until these questions land at their feet, or they can take charge and build relationships with executives and the business side of the organization.
Taking charge of the issue
Professionals fortunate enough to have direct access to the Board of Directors of their organization can also build extremely valuable relationships at the board level as well. As cybersecurity professionals establish lines of communication throughout organizational leadership, they must keep in mind that these leaders, although experts in their respective areas, are not technologists.
The challenge that cybersecurity professionals face is being able to get the non-technical people on board with the culture of change in regards to security. These kinds of changes in culture and thinking can help facilitate the innovation that is needed to decrease the risk of compromise, reputation damage, sanctions against the organization, and potential stock devaluation. So how can one deliver this message of Fear, Uncertainty, and Doubt (FUD) without losing the executive leaders in the technical details or dramatization of the current situation?
Start by addressing the business problem, not the technology.
The answer isn’t as daunting as you might think
The best way to start the conversation with business leaders is to begin by stating the principles of your approach to addressing the problem and the risks of not properly addressing it. It’s important to remember to present the principles and methods in a way that is understandable to non-technical persons.
This may sound challenging at first, but the following examples will give you a good starting point of how to accomplish this:
- At some point in time, there will be a data breach—Every day we’re up against tens of thousands of “militarized” state-sponsored threat actors who usually know more about organizations and technical infrastructure than we do. This is not a fight we’ll always win, even if we’re able to bring near unlimited resources to the table, which is often rare itself. In any scenario, we must accept some modicum of risk, and cybersecurity is no different. The approach for resolution should involve mitigating the likelihood and severity of a compromise situation when it ultimately does occur.
- Physical security and cybersecurity are linked—If you have access to physical hardware, there are a myriad of ways to pull data directly from your enterprise network and send it to a dark web repository or other malicious data repository for later decryption and analysis. If you have possession of a laptop or mobile device, and storage encryption hasn’t been implemented, an attacker can forensically image the device fairly easily and make an exact replica to analyze later. By using these or similar examples, you can clearly state that physical security even equals cybersecurity in many cases.
- You can’t always put a dollar amount on digital trust—Collateral damage in the aftermath of a cyberattack go well beyond dollars and paying attention to cybersecurity and privacy threats demonstrate digital trust to clients, customers, employees, suppliers, vendors, and the general public. Digital trust underpins every digital interaction by measuring and quantifying the expectation that an entity is who or what it claims to be and that it will behave in an expected manner. This can set an organization apart from its competitors.
- Everything can’t be protected equally; likewise, everything doesn’t have the same business value—Where are the crown jewels and what systems’ failure would create a critical impact on the organizations business? Once identified, the organization has a lot less to worry about and protect. Additionally, one of the core principles should be, “When in doubt, throw it out.” Keeping data longer than it needs to be kept increases the attack surface area and creates liability for the firm to produce large amounts of data during requests for legal discovery. The Data Retention Policy needs to reflect this. Data Retention Policies need to be created with input from the business and General Counsel.
- Identity is the new perimeter—Additional perimeter-based security appliances will not decrease the chance of compromise. Once identity is compromised, perimeter controls become useless. Operate as if the organization’s network has already been compromised as mentioned in principle #1. Focus the investment on modern authentication, Zero Trust, conditional access, and abnormal user and information behavior detection. Questions to ask now include, what’s happening to users, company data, and devices both inside and outside the firewall. Think about data handling—who has access to what and why and is it within normal business activity parameters?
The culture of change in the organization
If leadership is not on board with the people, process, and technology changes required to fulfill a modern approach to cybersecurity and data protection, any effort put into such a program is a waste of time and money.
You can tell immediately if you’ve done the appropriate amount of marketing to bring cybersecurity and data protection to the forefront of business leaders’ agendas. If the funding and the support for the mission is unavailable, one must ask oneself if the patient, in this case the organization, truly wants to get better.
If, during a company meeting, a CEO declares that “data protection is everyone’s responsibility, including mine,” everyone will recognize the importance of the initiative to the company’s success. Hearing this from the CISO or below does not have the same gravitas.
The most successful programs I’ve seen are those who have been sponsored at the highest levels of the organization and tied to performance. For more information on presenting to the board of directors, watch our CISO Spotlight Episode with Bret Arsenault, Microsoft CISO.
Stayed tuned and stay updated
Stay tuned for “Changing the monolith—Part 2” where I address who you should recruit as you build alliances across the organization, how to build support through business conversations, and what’s next in driving organizational change. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.