As cyber security rises in the hierarchy of governance priorities, senior executives, as a team, will engage in deeper discussions with their organisation’s technology specialists and technology partners. Clear and effective communication is vital to ensuring that strategies are clearly articulated and understood by all stakeholders. Whatever their nationality, this area has been somewhat fraught for the execs and techies: these personas have often struggled to establish ‘a common language’, and therefore an altogether common sense of purpose.
“Execs talk the talk of business objectives and balance sheets, while the IT experts express their views in terms of technological solutions and balanced risk,” an industry observer has said. “At its least successful, the ‘suits’ are said to be coming out with meaningless management speak, while they reckon the techies will try to ‘blind them with science’ by lacing their language with industry buzzwords. It can become a kind of jargon jousting match, with each side stating their position through buzzy clichés.”
But as the cyber security governance role of boardrooms and c-suites grows, executives are compelled to engage in closer, more extensive conversations with the techies; and even with senior technologists in attendance among the chief officers at the top table, there has been a disconnect between the contrasting mindsets. This can be exacerbated by the fact that the worlds of the business executive and IT specialists are filled with buzzwords and terminology that makes straightforward statements hard to ‘decode’. As techies and non-techies enter into a more equitable division of responsibility it becomes more important that any language difficulties are acknowledged and resolved, argues Matt Cockbill, Partner, IT & digital leadership Practice at Berwick Partners. “Miscommunication breeds confusion and uncertainty… For c-suite executives and those involved in a business’s cyber security, a lack of clarity results in poorly-defined roles and responsibilities, instilling a ‘someone else is taking care of it’ attitude. This ultimately allows holes to appear in cyber defence.”
The language of metrics could serve as the Rosetta Stone of communications between the executives and the techies
Adds Cockbill, “Senior executives should not be expected to understand function-specific language. It is the challenge of the Chief Technology Officer (CTO) or Chief Information Security Officer (CISO) to think, act and communicate as senior managers first, and functional cyber experts a close – but definitive – second. Being able to tailor messages to different audiences right across the enterprise is a critical trait of all senior leaders, and this applies to the CTO and the CISO.”
According to Phil Richards, CISO at Ivanti, the issue is not whether executives can understand technical jargon, it’s about making the issue holds relevancy for the executives. “When a technical person sees a problem – e.g., an Internet-facing server that cannot be patched – they don’t necessarily see this as a ‘threat’ that would concern (their company’s) executives,” Richard says. “The technical person needs to rethink the problem as, ‘how does this threaten my company?’, and report the answer to that question as the problem. An executive can then be presented with a vulnerable Internet-facing server which a cyber criminal could compromise, and then use to download customer databases. So, by adding-in the second part about how the risk will affect the entire business, executives become immediately engaged.”
Organisations also need to move beyond ‘buzzword summaries’, where management jargon means the information is garbled and what’s important is lost, insists Michael John, Director, Operations at the European Network for Cyber-Security (ENCS): “If you work with critical infrastructure, the stakes are too high to risk that. On the other hand, ‘techno-speak’ can sometimes be incomprehensible too.” John says that to a certain extent, information security experts do “need to make an effort to communicate clearly – but also need more decision-makers to develop a better intrinsic understanding of cyber security matters. There’s already quite a few training courses aimed at c-suite personnel on offer, so resources are available out there for the executives who do want to adapt.”
COMMUNICATION OF RISK
For Phil Richards at Ivanti, a pivotal responsibility of senior executives is to identify all the kinds of risk that threaten their organisations, be they competitor activity or attempts by nation-state-sponsored hackers out to steal their intellectual property. Executives must come to terms with the fact that the native language of cyber security is jargonistic, and not rely on confused ‘translations’ in order to understand what they mean.
“When techies and executives fail to communicate effectively, there is real chance that major risks will not be identified nor managed at the senior level,” warns Richards. In other words, both sides should be willing to learn a smattering of each other’s’ professional lingo.
“The treatment of cyber risk often gets lost in translation,” says Dan Brown, Security Consultant at FarrPoint. “This is down to the difficulties in the expression of technical risk in simple terms to senior management. And this itself is particularly in regard to the fundamentals of cyber risk management and the inability to implement a single, static, unmanaged control to allay a cyber risk for the foreseeable future. Such a control just is not possible with such rapidly-evolving threats and with expansion of attack surfaces (that most organisations experience).”
Brown suggests that the language of risk management could serve as a kind of lingua franca in this context, so to speak, by bringing together the ‘native dialects’ of the boardroom and the data centre. “Controlling cyber-risk effectively requires: continuous threat assessment from cyber security analysts; it requires risk management from cyber security managers; and it requires reviews and decisions on operational risk from senior management,” Brown avers. The common factor that threads assessments, management and decision-making together is another kind of language: metrics.
“Rather than translating between exec-talk and tech-talk, a common ground for communication should be sought,” agrees Gavin Millard, Technical Director at Tenable. “Metrics are the Rosetta Stone of interdepartmental communication, enabling conversations to be had, and decisions to be made, on complex areas where one of the parties isn’t an expert. By focusing on key performance metrics, for instance, a conversation can be far more beneficial without having to educate senior staff on cyber security buzzwords.”
Millard adds: “Comparison of metrics between different organisational units for context can be hugely beneficial and enable better decision support. For example, sharing the time to remediate critical vulnerabilities in the London office versus the New York office will demonstrate that the security team has good visibility into a foundational control, and also (good visibility of) how each are performing.” If New York’s time to remediate vulnerabilities is significantly worse, decisions can be made on whether investments are required to improve, or if the business risk associated with slower time is nonetheless acceptable.
CySure CEO Joe Collinwood points out that while execs and techies might often find it difficult to communicate, it’s not just a question of a difference in language, but also the passing of responsibility: “Execs believe they are employing techies to keep the organisation safe – however, IT departments are full of technical people, not business people,” Collinwood says. “No one sues the IT department for a fiduciary failure – the buck stops with the board.”
“The common terms of reference in risk management allow cyber risk to be communicated in a way that senior management can understand using impact and likelihood of the incident to calculate risk,” says FarrPoint’s Dan Brown, “and to allocate funds respectively.”
Words: James Hayes. Images: Shutterstock.