Translating Cybersecurity Assessments for Non-IT Leadership

IT Leadership knows that having a holistic cybersecurity solution is critical to protecting the organization from cyber threats. They understand the complex nature of cybersecurity and all the technical processes that come with it. Non-IT Leadership wants to pitch in and help – but may not fully grasp the magnitude of the problem and their role in providing a comprehensive, companywide strategy.

Short on time? Scroll to the bottom for the cliff notes.

The task at hand is to help fellow Non-IT Leadership understand that security is a business problem. Present them with the plain facts – information they can understand and assimilate to. They want to know the likelihood of a cyber incident occurring, the impact on the company’s ability to produce and sell its products or services, and the potential impact on the brand.

Leave the Technical Jargon at the Door

Instead of going into the technical nature of cybersecurity, talk concisely and speak to what Non-IT Leadership needs to hear: risks, opportunities, and strategic implications. IT leaders need to translate cybersecurity technicalities into value and the business risk they know exists – and the first step and a perfect place to start is a cybersecurity assessment. This will help prioritize the risk based on your organization so you know where to invest.

Little satisfaction among non-IT leaders

In a National Association of Corporate Directors (NACD) survey, less than 15 percent of directors said they were “very satisfied” with the quality of cybersecurity information they receive from management.

Key decision-makers, including Non-IT Leadership, must be behind cybersecurity initiatives for these plans to succeed. Getting cybersecurity buy-in across leadership comes from straight facts – translating cybersecurity technicalities into value and real business risk.

The role of the fellow leadership/board of directors – which needs to be communicated – is to provide strategic oversight for the organization and hold management accountable for performance. The cybersecurity pitch can’t be overly technical but should be relatable, so Non-IT Leadership can understand how cybersecurity affects the bottom line.

Remember that you can’t justify cybersecurity expenses if fellow leadership doesn’t understand potential cyber risk and how it affects the organization. Focus on business-oriented metrics and how mitigating breaches and attacks after the fact can cost more than the cybersecurity solution.

Leave Chicken Little Alone

However, this isn’t the time to panic and avert to “the sky is falling,” aka, Chicken Little Syndrome. Avoid creating the Chicken Little Syndrome among Non-IT Leadership regarding cybersecurity. Chicken Little Syndrome is described as “a sense of despair or passivity which blocks the audience from actions.” It can occur if the cybersecurity “pitch” includes fearmongering language without justification for a solution or the actual cost of cybersecurity solutions.

Instead of taking the fearmongering approach, encourage practical discussions based on data and start with findings from cybersecurity assessments.

Assess and Answer

Assessing your organization’s current posture is the first step in answering the strategic questions from leadership and ultimately getting buy-in. Use a third-party assessment tool to create a baseline of present cybersecurity risks and answer common questions from fellow leadership:

1. What are our most important assets, and what are we doing to protect them?
   • Data, people, IP, systems, processes
   • Value of data and impact of loss or disclosure
   • Where are these assets located or stored?
2. What are our identified insider risks?
3. What are our identified third-party risks (suppliers, vendors, partners, customers)?
4. What metrics do we use to monitor and evaluate the risk to the company?
5. What are the layers of our defenses? Which threats are mitigated?
6. What is the business case for cybersecurity? How can cybersecurity enable business functions?
7. How do we quantify our organization’s cybersecurity program? For example, how do we measure and track cybersecurity awareness across the organization through indicators such as completion of training programs, reporting, and compliance?
8. How would we know if we’ve been breached? Do we have the people and tools to detect and respond to an incident?
9. What is our response plan in the event of an incident?
10. How much of our IT budget is being spent on cybersecurity? Is that investment enough?

Form a Strategic Plan

Cybersecurity assessments also provide recommendations for improvement, allowing your team to set strategic goals that IT can measure against to show improvement. The Cybersecurity Health Checkup puts the assessment results in layman’s terms.

The ideal solution has a way to measure, set goals and communicate them to Non-IT Leadership for buy-in, execution, and continuous, ongoing improvement. Everyone in the organization should understand the biggest cybersecurity priorities based on a risk assessment and the cascading effect if those risks are not mitigated. Without it, there’s no way to justify any plan, and you won’t have the credibility to create a successful path forward.

TL;DR

• Instead of going into the technical nature of cybersecurity, talk concisely and speak to what Non-IT Leadership needs to hear: risks, opportunities, and strategic implications.
• The cybersecurity pitch can’t be overly technical but instead should be relatable – so Non-IT Leadership can understand how cybersecurity affects the bottom line.
• Use a third-party assessment tool to create a baseline of present cybersecurity risks and answer common questions from fellow leadership.
• A cybersecurity risk assessment will also provide recommendations for improvement, allowing your team to set strategic goals that IT can measure against to show improvement.
• The ideal solution has a way to measure, set goals and communicate them to Non-IT Leadership for buy-in, execution, and continuous, ongoing improvement.