[BreachExchange] How cybersecurity leaders can best navigate the C-suite

[Destry Winant]

https://securityboulevard.com/2019/10/how-cybersecurity-leaders-can-best-navigate-the-c-suite/

Recent data breaches at companies like British Airways and Capital One
have made it more evident than ever before that cybersecurity leaders
must prepare for a staggering amount of potential threats. Credential
stuffing, account takeovers, and insider threats are all vectors of
attack that could potentially devastate a business. But without the
C-suite’s support, it’s impossible for cybersecurity leaders to
effectively plan for and defend against these threats.

If the C-suite doesn’t fully understand a security risk, they likely
won’t prioritize investing to defend against the potential threat.
This, of course, can lead to disastrous consequences, like losing
loyal customers, hurting brand reputation, or incurring major fines.
The British Airways breach led to a fine of almost $230 million, and
that doesn’t include non-tactile losses like a damaged reputation. As
a result, it’s up to the security leaders to effectively communicate
and position security risks to company leaders and decision-makers.

Here are five tips to help cybersecurity leaders navigate the C-suite:

Make cybersecurity a priority—for everyone

While leaders acknowledge security is a vital part of their
organization, they often prioritize other initiatives that provide a
more direct return on investment. According to a recent study from
Nominet, 90 percent of C-suite members think their organization lacks
the proper resources to defend against a cyberattack, and 76 percent
of them think a security breach is inevitable. This highlights a
disconnect: While C-suite executives acknowledge security is an issue,
they’re not doing all they can to protect their organizations.

In another report from Wipro, 72 percent of organizations cited
employee negligence and lack of awareness as a top cyber risk. Because
of this, cybersecurity leaders need to find ways to relate
cybersecurity to all departments of a business. Pushing everyone in
the organization—not just the C-suite and IT teams—to think about
security through awareness programs and other initiatives is necessary
for any organization. When everyone actively thinks about
cybersecurity and how it affects the overall well-being of the
company, preventative measures will be more effective. Whenever
presenting a specific threat, take a minute to explain why all
employees across the business, including the C-suite, should care
about it. For instance, the CMO will likely be interested to know how
a hacked third-party tag on the website could steal customers’
personal information, thus violating user privacy regulations and
affecting brand reputation. By working with the C-suite to make the
business security efforts a top priority across the company, nobody
will be caught off guard in the case of a new threat or a security
incident.

Attach cybersecurity needs to business requirements

Cybersecurity leaders often have difficulty quantifying risk into
impact, or cash cost, and presenting it in a way that aligns with
business goals. For example, a member of the security team might need
to explain to the C-suite why an organization should purchase a new
encryption service. Instead of only speaking to the importance of
encryption and broadly mentioning that it could save the organization
money down the road, point out some industry statistics to back it up.
A recent IBM study suggests that encryption reduces the cost of a data
breach by $360,000 on average—a number that should persuade anyone to
consider better encryption. A simple cost-benefit analysis is all
that’s needed.

Overall, security leaders should communicate threats in an easily
digestible way, but also show how the small initial cost to close a
security hole can prevent a more significant cost down the road.
According to the same IBM study, the average data breach costs an
organization $3.92 million—a crippling setback for any organization.
If possible, spell out what a cyber threat could cost the
organization, including costs around incident response, potential
fines, and lost customers.

Get to the point

The C-suite has a lot of responsibilities. If security teams present
them with too much information at once, C-suite executives might
overlook critical details. It rests on the cybersecurity leader’s
shoulders to provide just enough information to show impact, but not
too much to lose their audience. Explain essential details, like the
immediacy of an attack or how many people it could affect. Diving into
the technical specifics of credential stuffing or email phishing
attacks, however, might not be the best strategy to get a CEO’s
attention. Leave out extremely technical jargon along with the
non-essential graphs and charts.

Similarly, a small amount of context is helpful. If briefing the
C-suite on account takeovers, point out some recent examples in the
news. Too much context, however, like offering the history of account
takeover strategies, can be distracting.

Plan ahead, if and when possible

New methods of attack emerge constantly. Recently, for example,
Magecart attacks have become increasingly more common but difficult to
defend against, as attackers use a variety of approaches to skim
information. RisqIQ pointed out that even though credit card skimming
attacks have been used since 2000, attackers are continually finding
new ways to access information. This degree of unpredictability makes
it difficult to guard against upcoming threats.

With this ever-evolving landscape of attack-and-defend, cybersecurity
leaders typically can’t provide goals beyond 6 to 10 months. The
C-suite generally likes to see long term goals out of departments, so
it’s important for security teams to make business leaders aware of
the quickly shifting threat landscape. To keep abreast of potential
threats, stay updated on cybercrime trends, reports, and news.
Noticing new or popular modes of attack will help security leaders
prepare for the long-term, rather than having to quickly react to
current vulnerabilities.

Be real, but not alarmist

Even with a vast knowledge of what could potentially happen,
cybersecurity leaders should avoid earning a “chicken little”
reputation. Unlike the storied chicken that runs around exclaiming
that the sky is falling, security leaders should aim to be realistic
when trying to present severity to the C-suite. While clear
communication is crucial to explain security issues, it sometimes
comes across as alarmist as well. Tailor messaging toward business
goals and impact, but omit disastrous information unless requested. To
avoid triggering fear, stick to the facts and avoid speculation or
hyperbole.

Building relationships—especially with the C-suite—is a process that
naturally takes time and effort. However, based on my experience,
these practices should help cybersecurity leaders feel more confident
in their ability to keep the C-suite up-to-speed on the latest threats
and vulnerabilities. Once both security leaders and business
decision-makers agree that cybersecurity should work hand in hand with
a business’s overall goals, the relationship will continue to grow. As
a result, businesses can expect to protect themselves and their
customers in a more efficient, proactive manner.