Riaz Lakhani, Chief Information Security Officer at Barracuda Networks, says:
“Security breaches have business implications that reach far beyond IT disruption. For senior cybersecurity professionals this means that in addition to keeping the organisation secure and cyber-resilient, they need to know how to effectively communicate cyber-risk to very different and often non-technical stakeholders.
“This can be a challenge. An international study found that just over a third (35%) of the small business IT security professionals surveyed think senior managers don’t see cyberattacks as a significant risk.
“This isn’t a question of management failure. It is hard to be interested in or care about something you don’t fully understand.
“The responsibility for addressing this gap rests with security leaders. They need to become storytellers and relationship builders.
“In my experience, there are three key conversations security leaders should be having on a regular basis to effectively communicate cybersecurity risk and build strategies.
“At a foundation level, they need to engage regularly with technical colleagues such as engineers, developers and security researchers. Building strong relationships with these individuals and understanding security from their perspective is crucial, as these are the people security leaders rely on in a crisis.
“Second, CISOs should hold regular meetings with senior managers, including the Chief Executive or their equivalent and critical risk departments like finance and legal. These conversations should focus not just on evolving threats and security tools, but on what an incident might mean for products or business roadmaps, risk, compliance and customers.
“Finally, security leaders need to effectively communicate risk to people who advise the business, such as the board of directors. Board members and non-executive directors bring a wide range of experience and backgrounds to the table. The golden rule here is to address everyone’s needs and concerns and keep things high-level and simple.
“An engaged leadership is one of your most powerful assets for ensuring policies, programmes and investments succeed. The discussions you have and the relationships you build, will ensure they understand where the risks are, how to address them and how to keep the company resilient.”
We speak to experts from Check Point, WatchGuard Technologies and SailPoint about their views on the conversations CISOs should be having to encourage cybersecurity awareness and maintain secure operations.
Sadiq Iqbal, Cyber Security Advisor, Check Point Software Technologies
The modern Chief Information Security Officer (CISO) occupies a pivotal role, straddling their organisation’s technical and business realms while navigating a complex landscape of cyberthreats. To effectively mitigate and manage these risks, CISOs must engage in a range of critical conversations.
Building a strong communication foundation should start with the Board of Directors. This is because aligning the security programme with business objectives, clearly communicating key performance indicators and securing adequate funding is essential. This communication ensures that security is viewed as an enabler rather than a hindrance.
Collaboration with the executive team, legal and HR departments is equally crucial. Each brings unique perspectives and challenges that the CISO must understand and address. By fostering open communication and shared goals, CISOs can build trust and influence.
Engaging with business area leaders is often an overlooked opportunity. Early involvement in project planning allows CISOs to proactively identify and mitigate risks, rather than reacting to issues after they arise. This collaborative approach fosters a culture of security by design.
The security backbone
The CISO’s team is the backbone of the security programme. Creating a supportive and collaborative environment is critical to retaining top talent and fostering innovation. Recognising and rewarding achievements, providing growth opportunities and prioritising work-life balance are essential for team morale and productivity.
At the same time, peer networks, security groups and law enforcement provide invaluable resources for CISOs. Sharing experiences, best practices and threat intelligence can help organisations stay ahead of emerging threats, while building strong relationships with law enforcement can also be crucial in incident response.
Public relations and crisis management are also increasingly important aspects of the CISO’s role. The ability to communicate complex technical issues in clear and understandable language is essential for building trust with stakeholders and managing the organisation’s reputation.
The evolution of the CISO role demands strong communication skills. As the face of cybersecurity, CISOs must be able to articulate the value of security programmes to a diverse audience, from the boardroom to the general public.
By fostering strong relationships with stakeholders, promoting a culture of security and effectively communicating the value of the security program, CISOs can significantly reduce cyber-risk and protect their organisations from harm.
Anthony Daniel, Regional Director – Australia, New Zealand and Pacific Islands, WatchGuard Technologies
The role of the Chief Information Security Officer (CISO) has never been more critical. As the digital landscape evolves and cyberthreats become increasingly sophisticated, CISOs must navigate complex challenges to protect their organisations.
A cornerstone of effective cyber-risk management is fostering a collaborative environment between IT and security teams. Historically, these groups have often operated in silos, hindering their ability to respond effectively to cyber threats.
To bridge this divide, CISOs must prioritise building strong relationships and open communication channels between these crucial departments. This requires a leadership-driven security culture where cyber-risk is viewed as a shared responsibility, not solely the domain of the security team.
By establishing an information security council with representatives from IT and other departments, CISOs can create a platform for open dialogue and collaboration. This council provides a space to share insights, align on shared objectives and develop joint strategies to mitigate cyber-risks.
It’s essential that CISOs demonstrate a genuine commitment to involving all stakeholders in the security process, ensuring their feedback and ideas are valued.
Once trust and collaboration are established, IT and security teams can work together to develop and implement joint protocols for incident management. By clearly defining roles and responsibilities, organisations can significantly improve their response capabilities in the event of a cyberattack. This collaborative approach also enables teams to identify and address security weaknesses more efficiently.
Ultimately, the success of any cybersecurity program hinges on the ability to foster a culture of security across the entire organisation. By prioritising collaboration between IT and security teams, CISOs can create a more resilient and secure environment.
In today’s threat landscape, where cyberattacks are becoming increasingly frequent and damaging, this approach is essential for protecting an organisation’s valuable assets. For this reason, CISOs must evolve their strategies to stay ahead of the curve.
By cultivating a collaborative environment and breaking down silos between IT and security teams, organisations can significantly enhance their ability to mitigate and manage cyber-risks.
Rex Booth, CISO, SailPoint
Foremost, CISOs need to embrace their dependency on others – on the CIO to implement policies, on legal for coverage during an incident, and on the CEO to establish tone at the top. The CISO can accomplish very little unilaterally, and the ability to develop relationships matters more in the role than in any other skill set. If you want to manage risk, you’re going to need allies.
You need to find trusted authorities in the fields where you’re not an expert and listen to their concerns. Understand their perspective and see the world through their lens. You’ll likely uncover risks you didn’t even know to look for. We’re all unwitting occupants of a digital battlefield being contested by nation-states, criminal gangs and other bad actors. None of us succeed on our own – we’re strongest when we join with others for a collective defence.
We often hear that people are the weakest link in our chain – that they’re our greatest risk. But if that’s true, why don’t we hear about more CISO/HR collaborations? Why aren’t more CISOs reaching out and having meaningful discussions about how they can partner with workforce leaders to incentivise good security behaviour? Our field still defaults to technical solutions, but sometimes the best solution needs an uncommon partnership.
CISOs must ensure information sharing and collaboration flows through their organisation, to be one step ahead of cybercriminals. Everyone, enterprise-wide, must be educated right from day one on the potential risks. Security should ultimately enable the right people to do the right thing at the right time. But the flip side to that is preventing the wrong people from doing the wrong thing, too. Discussions need to centre around three key elements: identity, access and asset management.
Today’s workforce is complex, with non-employees making up nearly half of corporate identities. With identity often being the make or break of any type of attack, CISOs have a vital role to play in better safeguarding identities, both machine and human, employee and non-employee.
Enterprise complexity is quickly outpacing human capacity for understanding. Through the smart application of AI-enabled identity security technologies, CISOs can put the right measures in place to ensure visibility. Having centralised visibility is crucial for organisations to deal effectively with any suspicious behaviour well ahead of a breach occurring.
One area that doesn’t regularly come up in discussion, but is increasingly becoming a frontline target, is HR. It’s not necessarily that attackers focus on HR-specific systems, they’re just looking for systems with sensitive information on them – and HR holds plenty. Knowing they’ll be looking for data they can monetise, hold to ransom or use for intelligence, CISOs must work more closely with HR leaders to prevent and detect potential threats.
To stay ahead of cyberthreats, CISOs must ensure they collaborate and engage with all departments – especially those that they have traditionally placed less focus on. With the right technology in place, CISOs can work effectively with the wider business to implement a multi-layered approach to security.
Click below to share this article
