Dr. Eric Cole, former CIA hacker, and an industry-recognized expert with over 20 years of hands-on experience, shared why it’s communication, not cyber threats, that’s the industry’s biggest challenge to overcome.
Listen to the full podcast here, or read on for Dr. Eric Cole’s top three takeaways.
The biggest problem in cybersecurity today is the lack of communication.
The biggest problem today in cybersecurity is that there is no communication between the technical folks and the executives. Most executives believe that if they spend enough money and hire enough cybersecurity people then their businesses will be secure, but it’s not that simple. Even with world-class technical people, poor communication can prove a significant barrier. A CISO can identify risks and tell business executives where they believe money needs to be spent, but if they’re not communicating in business terms, executives are not going to listen.
This communication barrier is why we see companies spending a lot of money and resources on cybersecurity without securing the basic core areas, and the problem lies with how people view the role of the CISO. Generally people think that the CISO is a technical position and will hire accordingly, but this is a misconception. Someone can be a world-class technical person, but that does not automatically make them a good CISO. A CISO is a strategic thinker that can communicate technical components using business language so that the executives can make the correct decision. To me, that’s the broken piece in many organizations.
Cybersecurity risks need to be communicated in business terms, and without emotion.
In cybersecurity, we deal with risk – the probability of loss. We don’t know what is going to happen, and we need to communicate using language that reflects this.
The problem is that world-class security engineers naturally use language that they’re comfortable with, which is technical and not business-led. Further to this, cybersecurity people are brilliant and methodical, so they form conclusions and then believe wholeheartedly that they are correct. So when cybersecurity people talk to executives they often approach the conversation as though they would a debate, making it emotional and one-sided. This is why the idea that I highlight when training CISOs and security folks is that data should drive decisions, not emotions.
So, how can we improve communication between security employees and business executives? To help executives understand a security risk, four things need to be presented:
- What could happen
- The likelihood that it will happen
- The cost if it happens
- The cost to secure against it happening
Then ask them if they would like to take the suggested security measures. The key here is that the answer shouldn’t matter to the CISO or security engineer. They have communicated the problem in simple terms, made executives aware of it and given them the data – they have done their job and the rest is in the executives’ hands.
Risk should be priced and communicated using quantitative bands
Risk is notoriously difficult to put a price tag on – even insurers struggle to do so! In my opinion there is no point trying to describe things exactly. The problem is, executives don’t tend to respond to qualitative descriptions either – describing something as ‘high risk’ or ‘bad’ just isn’t tangible to them.
The solution is to communicate in general bands, where the information is inexact but quantitative. For example, instead of describing a security risk as ‘high risk’ and the outcome as ‘bad’, the risk can be described as being 80-100% likely, with a possible cost of £5 million to £10 million. This is not a perfect science, but it bridges the gap, and presents executives with something in business terms that is actionable.
For more from Dr. Eric Cole and his take on communication in cybersecurity, listen to our Tessian Podcast episode, here.
