Very few CISOs are lucky enough to work for an organization whose senior leaders prioritize security, or report to a board of directors who inherently understand its importance. As a result, a key element of a CISOs job is to educate senior leadership on data risk, and effectively communicate the importance of a robust security program.
But increasingly, this communication is falling on deaf ears. Framed in the context of cyber threats, data breaches, and overused statistics, senior leaders are starting to tune out the “it’s not a matter or if, but when” mantra. We need a better message.
Perhaps the greatest challenge for a CISO is quantifying the value of security. Often, we quantify the potential savings that resulted from something not happening – in essence, trying to prove a negative – which isn’t overly compelling to a board of directors. Other times, we emphasize the compliance requirements that dictate our security investments. But this just further drives home the perspective of senior leaders that security is simply a necessary evil, a tax on their business. We also must remember that board meetings are dominated by discussions around new business opportunities, M&A activity, and other revenue generating initiatives. It’s no wonder they tune out when the topic of security investment comes up. Or worse, when they do tune in, it’s to figure out how to spend less on security.
We need a better way to frame the discussion. Importantly, it’s not just about communicating the importance of security (and the need to invest in it), it’s also about educating senior leaders on the value of effective data risk management. An effective data risk management (DRM) program doesn’t just reduce risk, it also identifies broken business processes and duplicative efforts, and provide the means to correct these inefficiencies, streamlining business operations. An effective DRM program also enables better usage of data, improving the way in which the organization takes advantage of its inherent value. Ultimately, conversations with senior leaders will need to address risk, but we must take that opportunity to highlight reduced business risk – not just “cyber” risk. It’s not all about threat and breach prevention. A DRM program will shine a light on the potential risk in business operations – who has access to business-critical and proprietary information? Who are our trusted business partners, and who should communicate with them? How do we identify risky behavior (malicious or otherwise), and implement ways to correct that behavior? How do we make individual business units more efficient in their interaction with data?
In short, an effective DRM program allows you to communicate the value of security not just in terms of breach prevention and compliance, but in terms of business process improvement and overall organizational risk reduction. The CISO can’t just be the technical expert in the room. The CISO must be a business partner. So where do we begin?
First, we need to determine the key senior leaders and decision-makers who need to be educated about data risk. This may include the CEO, CIO, CTO, CFO, and relevant department heads. And before we tell them all about our awesome DRM program, we need to first understand their perspective – how much do they know about security in general, or the difference between cyber risk and data risk? Do some individuals need more background knowledge than others, so we can put all stakeholders on a level playing field? Once we establish that baseline of knowledge, we then must understand how they feel about the organization’s data – what data is sensitive in their opinion, who should have access to it, and who can we collaborate with? What would each of these stakeholders like to know about organizational data? Hint: this isn’t just a data protection question – a DRM program enables improved data analytics.
At the end of the day, this first phase is a hearts and minds campaign, best accomplished through a series of one-on-one meetings with each stakeholder. Developing those relationships and uncovering individual needs and objectives is critical. Only asking for feedback in group settings won’t elicit all the information you need, as not everyone will participate.
Have *one* slide prepared that demonstrates the real-world impact of data breaches and security incidents. Do your research, provide your statistics and case studies, or examples from your industry that quantify the financial and operational impact of security incidents that support the financial justification for your program. And then move on. The “house is burning/sell through fear tactic” is tired, and ineffective. So cut to the chase and describe what you do in business terms, translating technical jargon and security concepts into business terms that senior leaders can relate to. From a research perspective, a good place to start is IBM’s Cost of a Data Breach Report. Check out the 2023 report here.
Obviously, there is a huge risk management element to this discussion, where you’ll have the opportunity to discuss how your efforts (and the organization’s security investment) enable compliance – regulatory, legal and contractual. There’s nothing wrong with pointing out that if you don’t do certain things, you can’t do business in certain areas. But once that message is delivered, senior leaders are looking for the “what else”? Is your role a necessary evil, a cost center – or is it adding value in other ways? Once your DRM program is established, you should be able to come up with a variety of anecdotal evidence that shows how your efforts uncovered broken business processes that, once corrected, made the business more efficient. Or how you were able to identify risky behavior that protected proprietary information. Or how your efforts in data management have made data analytics and business intelligence more effective.
The point is, take the time to highlight business accomplishments, and talk less about “security”.
Demonstrating the effectiveness of your program is critical, but equally important is your plan for the future. How are you going to enable business transformation, such as a safe and efficient cloud transformation? How are you going to address vendor consolidation, and what impact will this have on cost savings and efficiency? What business opportunities will your department’s efforts create?
Make no mistake, senior leaders will always want to know how you will accomplish more with less, so presenting a plan that reduces cost or increases efficiency will capture attention. Similarly, when investments are required to implement that plan, a commitment must be made to demonstrate a return on that investment. Which leads us to the next step.
If it’s not measured, it didn’t happen.
Your hearts and minds campaign must solicit feedback on what these individual stakeholders want to know. Reporting metrics on things they don’t care about won’t help your cause. If they are genuinely concerned about risk, dig into what is important – trends, gaps, project status, etc. If they are more concerned with compliance, clearly show identified gaps in regulatory, legal or contractual compliance coverage, and timelines for resolution. Most likely, you’ll be spending a lot of time quantifying the return on investment for approved security projects, so determine up front the criteria for success and how it will be measured.
Establish agreed-upon key performance indicators (KPIs) to measure and report on effectiveness and progress, and present it in a format and cadence that is requested by your stakeholders. It’s their report, not yours.
Make sure senior leadership understands that their people are, and will always be, the most significant threat vector. You are constantly trying to identify and implement new, fun, interesting and effective ways to train your people. And it doesn’t always work. The typical employee isn’t thankful that they got tricked by a phishing email, and they certainly aren’t interested in completing their annual online awareness training.
But a little support from the top would go a long way. If the most senior leaders in the company communicated the importance of security, and the support they will give to the security team, that message will resonate among employees. It’s no panacea, but it will help. So ask for this public support.
Educating senior leaders on security in general, and its importance to their organization specifically, can be tricky. It’s a topic they won’t be overly enthused about, so running through a slide deck to review key concepts, best practices, and data protection strategies will not move the needle. The only way to engage this stakeholder group is through real-world scenarios.
Walk them through a ransomware attack and how it will impact the business, and find out how they would propose to continue business operations in such a scenario. Then describe the measures you’ve put in place to address such an incident (so they understand the value you’ve already provided), but be specific about the gaps that still exist, and what you need to address those gaps.
Part of this exercise will cover your Incident Response Plans, and the roles these leaders need to play when the plan is invoked. This is an opportunity to discuss their comfort level with their roles, and what additional training might be required.
Bottom line, table-top exercises can (should) be fun and engaging. Quite frankly, it’s your only hope of capturing the attention of this stakeholder group.
Just like a DRM program, educating senior leadership is not a project, it’s a process that never ends. It’s constantly evolving – the business, the compliance requirements, and the threat landscape. Accordingly, what you report to the board, and how you report it, must also evolve.
Never stop meeting with individual stakeholders to seek their input and encourage their thoughts and insights on data risk management. Their engagement and support are critical for implementing effective security measures.
Now that you’ve come to the end of this article it’s time to self-evaluate. Where do you stand with senior leadership and board level engagement? Are you crystal clear on what matters most to them? Do you have an effective strategy for educating them on what matters most, and communicating the value of your efforts?
Download the Educating Senior Leaders about Data Risk Workbook and start putting these recommendations into practice.