Communication is key in all walks of life but particularly when it comes to articulating cybersecurity investment. Richard Sorosina, CTSO ANZ, Qualys, discusses the importance of the language used within cybersecurity to foster effective communication around the value of technology tools for mitigating risk.
The ever-evolving landscape of digital threats and the intricate nature of the technologies and systems we rely on has brought an extra level of complexity when it comes to cybersecurity.
Cybersecurity is a multifaceted challenge, involving interconnected digital infrastructure, highly motivated cybercriminals and a diverse range of threats. Technological advancements and the prevalence of connected devices add further complexity, necessitating continuous adaptation and the use of cutting-edge strategies and tools.
The issue is this doesn’t even paint the full picture. At the root of the problem is the lack of understanding of the basic premise of cybersecurity and the complexity of the ‘language of risk’.
We need to first demystify the language of risk – yes, the complexity of its acronyms is confusing even to those embedded in the industry. The point we need to get across though is that IT, even CISOs, can’t articulate what they do or the value they bring to an organisation. As the board mainly understands the language of risk purely from the financial implications of high-level business risks, we must reframe how we provide an overview of the environment’s risk.
The sheer number of cyberattacks has already put IT security on the radar for boards and for CEOs, so they know they have to do something and invest in security. But the issue is how to explain what ‘good’ looks like to that audience.
The language used within cybersecurity adds a level of complexity as it poses a barrier between CISOs and business executives and it fails to communicate how organisations’ cybersecurity risks directly affect and impact the business. Not only that, CISOs aren’t able to articulate how a specific risk has been reduced or mitigated by the cybersecurity system or tool in place, therefore the value from investing in this technology. For example, how does a good patch management or asset inventory approach translate into good business security.
Not having this knowledge available, or being able to communicate it effectively, means organisations often take on the wrong approach by buying selected tools, such as specific to ransomware for example, and they often don’t have the right system to integrate or support that tool, which leads to ‘wasting’ their money.
The current trend for cybersecurity is that organisations want to do more with less and make the most of the investments they’ve already made.
We need to reframe their thinking. Effective cybersecurity posture is ultimately based on the business’ risk at a higher level and any decision should cascade down from there. Cybersecurity is not actually that complex and there are simple steps they can take to make it work effectively for them and the business.
Making cybersecurity effective, not complex
Organisations need to take a holistic approach and review their overall risk before working their way down to tooling. Most executives are doing the opposite by buying specific tooling and aligning the business to that. To a degree it helps to temporarily mitigate some of the risks but it’s not the right approach. This is why we need to break down each step clearly to the organisation’s business executives.
The first step we always ask companies to make is around their asset management. Many companies compile an asset register, but they then don’t keep that list current, so they are looking at and making decisions based on outdated information. The list is important to not only assess the environment’s risk but also to prioritise which vulnerabilities pose the highest risk and what systems are most important to their business and need the most protection. Prioritising those critical applications first can help organisations keep those assets secure and only then should they look at automation to help patch and secure secondary systems.
The next step is to invest in a consolidated security tech platform that integrates core features which easily identify the company’s risks and assets through an automated capability that prioritises those most vulnerable, freeing up time, resources and stress from the IT security teams.
Education from IT level up
Organisations invest in security platforms and process automation due to two key factors.
Firstly, the risk of human error poses a significant threat, often stemming from basic mistakes made by uninformed users. While sophisticated attacks exist, many security issues can be attributed to what is known as a PICNIC issue – a ‘Problem In Chair, Not In Computer’ – meaning many of the problems that exist around security are basic human mistakes, not technical. Addressing security challenges requires making it easier for both management and employees to implement effective measures.
Secondly, the industry faces a shortage of skilled cybersecurity professionals, making it challenging to deploy and manage tools effectively. Because of this, the responsibility and added pressure falls on existing IT security teams, who often lack specialised expertise. Initiatives such as government-led training programmes and increased cybersecurity education are crucial to develop a skilled workforce and foster a culture of cybersecurity awareness.
Ultimately, fostering effective communication between cybersecurity professionals and business executives, along with comprehensive education from the IT level up, will be pivotal in enhancing organisations’ cybersecurity posture and resilience. By reframing their perspective and approach to the complexity of cybersecurity, organisations can gain a deeper understanding of the risks they face and make informed decisions for a more robust and resilient cybersecurity framework.