The SEC’s amendments highlight the need for companies to focus on cybersecurity and the wider business

The SEC’s amendments highlight the need for companies to focus on cybersecurity and the wider business

In March 2022, the US Securities and Exchange Commission (SEC) proposed amendments to its rules regarding the disclosure of cybersecurity expertise within businesses. These amendments are meant for institutional investors, shareholders and investors to showcase the need for heightened focus towards cybersecurity at the core of business, surpassing conventional strategies that have allowed multiple headlining cybersecurity breaches over the past few years. Here, Mark Brown, Global Managing Director of Digital Trust Consulting at BSI, discusses the relationship between cybersecurity experts and top business professionals and what’s required for effective communication which ultimately determines the business’ overall success.

Many cybersecurity professionals are not fully equipped with the business language necessary to effectively communicate with the broader leadership functions the immediate necessities, threats and path forward during and following a breach. This communication lull can impact the severity and duration of a breach and shift stakeholder perception – significantly impacting a firm’s bottom line and brand reputation.

Today’s digital trust focused operational framework has highlighted the significant need for seamless communication between cybersecurity professionals and executive business leadership to mitigate potential and current risks and fully understand the impact a cybersecurity or privacy breach can have on the business and its stakeholders.

Tasked with communicating a technical language that is not extensively used by top business professionals, cybersecurity experts are typically siloed within an organisation and are not provided a seat at the table. For cybersecurity professionals to be able to communicate effectively, they first need to be considered important enough to be heard and given space to be received by top business professionals who can make changes within the organisation. The narrative around cybersecurity and broader topics of technology risk must be understood by all parties to be an essential part of the company, not one where shortcuts can be made or efforts can be outsourced. Effective and trusted cybersecurity is integral to a successful and protected business in today’s digital age and, therefore, should be integrated into the core of the internal corporate structure, not passed on to talent outside the walls of the organisation.

How to improve cybersecurity within business

One key step to closing the disconnect between cybersecurity and business is aimed at developing a deeper education and understanding of each other’s needs as well as terminology and processes essential to effective communication. To do this successfully, both sides must exercise patience and the ability to accept personal faults, putting aside titles and coming in with an openness to learn.

Board members and executive management must also embody a teaching role towards cybersecurity professionals, making themselves available to share insights and knowledge about the broader aspects of the business. By doing so, a welcoming environment for learning is created, allowing for open communication for both sides to inquire about the other. This type of approach creates a bridge, connecting the different sectors and making way for effective communication to prepare public company boards to better respond to the new regulatory challenges being proposed and likely implemented.

Additionally, transparency is vital to avoid engaging in a ‘blame culture’ that often occurs following a cyber breach. Organisations that develop a culture of unity and cooperation have much greater odds of faster resiliency amid challenges, allowing the business to pick back up day-to-day work and avoid the breakdown of investor confidence after a major cyber breach.

Talent as a driver for future success

In tandem with creating a culture of communication and collaboration between sectors, business leaders must also focus on attracting the right talent to help bridge the gap – currently, alongside many other sectors, there is a global talent shortage. The cyber industry so far has reaped the benefits of 0% unemployment for over a decade, yet the truth behind that statement is that there are 5 million job vacancies in cybersecurity as demand continues to soar and due to supply and demand economies the cost of talent continues to rapidly increase as businesses recognise the value of the talent they possess within their organisation.

In our technology dependent society, cybersecurity has become increasingly more vital. Coupled with growing inflation, it becomes necessary for organisations to meet competitive compensation demands to retain talent within cybersecurity. This trend remains true as oftentimes, cybersecurity professionals take parallel job opportunities between organisations for a 20-25% (or higher) pay rise. Beyond salary, the limited, sought-after nature of cybersecurity talent also puts pressure on businesses to create an enhanced employee experience with additional benefits.

Businesses can no longer rely simply on competitive salaries; they must also offer opportunities and highlight efforts surrounding professional development (beyond technical qualifications through mentoring), retention incentives, flexible working abilities and equity stake. Otherwise, by not showing their willingness to invest in talent, companies will find difficulty attracting and retaining good talent.

Building a more resilient cybersecurity approach

It will undoubtedly take many steps, and indeed years, to effectively navigate the disconnect between cybersecurity and the broader business. However, by recognising the need for cybersecurity to be integrated into the central business model and taking steps to allow this to occur, businesses will be better positioned to mitigate future attacks and disruption.

The steps that need to be taken include educating both cybersecurity and top business professionals to understand what the other does, as well as sharing technical terminology to allow them to communicate in a way that is properly received by the other side. In addition, cybersecurity professionals must be given an opportunity to vocalise their needs by providing them a seat at the table. Beyond that, organisations must also focus on creating an environment that breeds collaboration and unity, not ‘blame culture’ when a breach does occur. Finally, organisations must focus on providing a competitive salary and benefits to attract and retain the limited tech professionals available in this time of significant talent shortage and economic uncertainty.

Ultimately, the integration of both the technical side of cybersecurity and the greater business will allow for a more robust cybersecurity presence and arm organisations with the ability to protect their digital presence and brand reputation.

Organisations which embrace this need for enhanced integration are likely to thrive in the new digital society and economy – those who fail to do so may simply sleepwalk to extinction.

Browse our latest issue

Intelligent CISO

View Magazine Archive