Effectively communicating with company executives has always been a challenge for us in information security. Sometimes I felt like a complete stranger in a land where nobody spoke my language. These stressful meetings inevitably ended up in two outcomes, neither desirable: executives either agreed with our recommendations without truly understanding the needs (a.k.a. “alright kids, here is some money, now go buy some toys and leave us alone”)—downright rejection.
By Glauco Sampaio, CISO for Cielo
Much of these communication issues can be blamed on how security professionals craft the message:
• Extensive use of security jargon and technical acronyms
• Assumptions that executives understand the roles of different solutions (such as firewall, anti-spam, anti-malware
• The use of terrorism, particularly when reacting to an important incident, to justify security requirements
• Justify the request only on legal requirements, audit findings or the need to obtain certifications
I always left these meetings with a nagging feeling that things could be different and that we should be able to establish a common understanding of challenges and recommendations. It was not uncommon for both sides to feel a bit embarrassed about the situation.
I once had a boss who nagged me a lot, until our presentations integrated technical jargon, carefully making the content understandable to my audiences. It was a long and sometimes frustrating journey until I understood that a new approach was needed. I was not able to lead my executive audience to develop the empathy required to fully appreciate security challenges.
The adoption of security frameworks and best practices as a driver for the actions was a different approach. Being in compliance with these standards was a path that showed maturity in the security areas, in addition to being measurable. It was possible, after the execution of the proposed security plan, to show the evolution of security controls, justifying the budget and resources that were granted through numbers was something that brought comfort to our presentations and was understandable to executives.
In my experience, the problem with this approach is identifying the ideal maturity level for each company. Do we really need to be in the state of the art in all security disciplines? Is being within the market average enough or do we need to be at the top of the list of adherences to a certain framework? Hearing these questions is challenging and the answer can be complex.
With professional maturity, I started to understand that we need to approach executives presenting in a language that was intelligible to them. I gained an appreciation that executives engage when there is a mutual and clear understanding of the rationale behind specific tasks. For example, “DDoS Protection” takes on a whole different meaning when presented as a mechanism to prevent attacks that can lead to the unavailability of customer-facing services. The simple change in the way of presenting opens the opportunity for the executive to understand the “risk” that we are trying to mitigate. We cannot deny that the impact of major incidents caused by cyberattacks within the last few years and the media attention dedicated to these have helped a lot to raise awareness of the importance of cybersecurity to the executives.
I started to use risk concepts to justify security investment needs and associate these requests with possible impacts on the business. This is a similar approach I had used when building business continuity plans.
Another support for this approach was the use of threat modeling. Starting with the definition of the risk scenarios that need addressing, reframes the conversation around business impacts without the need for in-depth security knowledge.
The big question now revolves around how to measure these risks. Most of the analysis points out that the impacts and the probabilities are very high, defeating the purpose of any attempt on prioritization. All scenarios become a high risk to the organization, ignoring the existence of existing security controls that mitigate these can severely hinder attempts to prioritize.
An appetite for risk
How much do we need to invest in enhancing security controls? Do we need to drive towards residual risks whose impact becomes negligible? Companies must have a risk appetite culture. To make this possible, it’s our role to present the risks in a way that makes it feasible for executives to make decisions to fund investments, change processes and even modify the characteristics of products or services. We must learn to measure the company’s risks and know how to size and how much this scenario will be impacted by the proposed controls. At a simplistic level, a specific control implementation should not cost more than its total benefit for the company.
It may look utopian to think about making this type of measurement. In some cases it is relatively simple, especially when we are talking about the security of systems and business environments: how much the unavailability of service due to a denial of service attack costs or the total financial impact or how much the absence of a control or a vulnerability that enables fraud in a financial system can represent a monetary loss. Even the case of customer information leak, today with the establishment of privacy laws around the world, are more easily quantifiable due to fines being imposed by governments on companies.
Other scenarios, more technical, are harder to be measured and quantified. Security professionals need to develop an assumption-based model that allows for a general quantification of different impact scenarios to the business. While imprecise by nature, the usage of a consistent model across a variety of issues can provide a powerful tool for prioritization by executives.
Risk management must always be discussed with company executives, as they are the ultimate decision-makers. Our role, as persons being responsible for the security of our companies, is to support these decisions with reliable data. This collaborative governance process creates a shared responsibility model between security professionals and executives based on transparency and trust.
This topic is constantly evolving and there are some mature frameworks on the market that can help us to measure and quantify security risks. I recommend that they are studied and applied by all of us. Their application in different scenarios, cultures, countries, and levels of maturity will ensure that we stay on the right path.
About the Author
Glauco Sampaio is an information security professional who lives in Brazil. He has 20 years of experience and has served media companies such as iG and Editora Abril. He has also worked in financial institutions such as Santander Bank, Votorantim Bank and Original Bank. He is currently working as CISO for Cielo, where he oversees the security strategy for the largest Brazilian credit and debit card operator.
Disclaimer: CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.