Whether or not security operations pose a core focus to a company or are an afterthought, the largest obstacle now affecting business and security outcomes is the language barrier that exists between security teams and the C-Suite.
In general, security groups’ budgets have increased over the years, with organizations adding more vendors to the mix, “layering” security with the latest new tool to address the latest threat. One of the newest such tools is “threat intelligence” which organizations are using to form an “intelligence-led security” program, a security operations center, or incident response capabilities. While threat intelligence and other solutions hold the answers to many of the important questions executives ask about cyberattacks, this terminology means nothing to C-level executives, nor does the output from these systems and programs. What does it mean that you have stopped one billion attacks this past month? What impact have the 30 incident responses you’ve run over that same period of time had on the business? What’s the significance to reducing response time from one month to one day?
Executives running and overseeing a company have two primary concerns: increasing revenue and shareholder value. There is a big disconnect between security and the C-suite because they speak two different languages. One is a very technical language that needs a translation layer to explain it to the executives. The other is a very strategic language that needs to be conveyed in a way that makes security part of the team and company, and ensures alignment and participation with the business units and executive suite.
What’s the fix? Communication. Each group has to understand the other at least enough to relay the core concepts as they apply to the other and in a language the other understands. As a first step, some companies are adding a technical expert—a “designated geek,” if you will—to their board of directors so they can work on improving communication and understanding. While that can help, it takes a lot more to make sure priorities, efforts and results don’t get lost in translation.
A Two-Way Street
Executives need to include the chief information security officer or chief technical officer as part of their strategic discussions and make sure that security leadership has the ability to push that communication down to their teams in a way everyone understands. To that end, CISOs and executives need to train their security operations personnel to ensure they understand the business. This starts by asking some critical questions:
- Does every member of the security team understand what is it that you sell/produce/provide?
- What are the things your security teams need to watch out for to protect revenue?
- Many organizations operate large industrial control systems. If your organization has such a system, is your security team aware of this?
- If your company is moving into the cloud or is about to launch a mobile app, does your security team know about this and have you enabled them to get the right monitoring in place to protect it?
- Have you involved the security team as you were designing that new revenue stream, or evolving your business model in some other way, to be sure that security isn’t an afterthought?
These are just a few examples of how executives need to think about the enterprise to ensure that security is strategically aligned. It is incumbent on the business to train the security personnel on its priorities so that security teams can look for attacks that are important to the business and take action.
Likewise, security teams need to change how they communicate to the C-suite. Every security team should conduct a stakeholder analysis to identify who needs to be informed of what and when. It all comes down to content, format and frequency. Make sure you have regular communications with not only your peers in security and network operations, but with the business units, risk management, C-level executives, the board of directors, and anyone else in the company that is involved in the day-to-day objectives and operations of the company. The CISO should be the link to make this connection happen, working with executives to establish regular communication.
There is no “right way” to communicate. Some executives and boards are more technical than others. Security teams need to take the time to learn what type of communication will be most effective or forever struggle to align security with the business. Sticking with the generated metrics of number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack. For example: “We identified and stopped one attack this month from a cyber espionage group targeting our Western European manufacturing facility, which is responsible for $20 million per year in revenue to the company.”
For those in security who feel they can’t deliver such a statement because their security infrastructure doesn’t provide that kind of information about threat actors and campaigns, there is a path forward. Look into creating a program that uses adversary-focused, contextual cyber threat intelligence and make sure you understand enough about your business to know the impact of threats against the various business units. With the communication gap closed, and security and business goals aligned, organizations can become more secure, and profitable.