Understanding Communication Complications Facing CISOs

Tim Fleming

Cyber risk is now nailed firmly to the board table. A seemingly never-ending procession of high-profile data breaches and attacks causing operations to grind to a halt has seen to this. Fighting for priority amongst other business siloes has become less of a problem for the CISO.

However, a perennial issue that still holds cyber-risk back in the boardroom is that of communication. Interactions can still sometimes feel like they’re taking place in different languages, or are focused on disparate objectives, something the accomplished security leader is now conscious to avoid.

Clouds on the economic horizon make this even more important. As a slowing global economy weighs on sentiment, the people, processes, and technology which make up a security leader’s risk posture come under the microscope. Questions are asked about priorities. Both channel leaders and the CISO are having to work harder to justify where chips are laid.

CISO Communication Tips

Against this background, understanding how the macro-economic climate has an impact on how CISOs communicate with the board becomes even more important.

Organisational impact as a unifying language. Now more than ever, a common language is crucial. As the economy tightens, so does the focus of the organisation on what is truly important — operational uptime, customer trust, reputation, regulatory compliance and, typically, the ability to continue generating revenue.

This is the lens through which discussions must be had. Channel partners with a clear understanding of this come into their own. It’s not about cyber-risk, but operational risk. In an economic downcycle the point must be made that, while the root cause of the problem might be micro, the impact could be macro. However, with the devil lying in a fragmented tangle of technical details far abstracted from operations, this is often lost in translation.

Take Colonial Pipeline, for example. The shutting down of the pipeline was caused not by a direct attack on OT systems, but a knock-on effect of billing infrastructure being compromised and a fear of lateral movement into critical areas. Imagine trying to convince a board in advance that such a seemingly tangential risk would ultimately stop 380m litres of oil from flowing, every day. Doing so would have required a mastery of big-picture storytelling, just enough technical nuance, and a need to not appear a scaremonger.

Making an effective cost argument for risk initiatives. In contrast to being able to articulate big-picture impacts, security leaders in challenging economic cycles also need to articulate and defend the finer details of how they are prioritising investment. OPEX will invariably come under the spotlight as the security function is quizzed on potential cost savings.

Against this backdrop, working closely with security leaders to help them communicate the bang for buck from specific defensive capabilities is important. CISOs will be breaking out the cost of security initiatives line item by line item to highlight how much risk is addressed by each, so management teams can better understand the impact of expenditure. This is where risk frameworks can be a useful tool. By summarising how a seemingly fragmented set of security initiatives mesh to secure operations, it better communicates where security tools can perform best. Just as importantly, it highlights where exposure will occur should cost savings be sought.

Take, for example, identity programs. A strategic approach to identity is an increasing part of board-level conversations because it represents a highly effective investment against a broad swathe of cyberattacks. While, to date, conventional controls have only covered small sections of the identity threat surface, security teams are waking up to the wholesale risk-reduction benefits that can be achieved by understanding where these gaps lie and preventing malicious access. Doing so stifles lateral movement, stopping threat actors from …