From Tech Talk to Boardroom: Navigating Cybersecurity Conversations with Clarity and Confidence
Being able to translate between cybersecurity technical professionals and business leadership is a key skill for effective and efficient communications that build trust and productive collaborative environments.? Having begun my journey as a business minded engineer that had a knack for building analytical tools and little more than awareness of information security (InfoSec) best practices, then growing and building an IT Governance program from scratch for a B2B SaaS company supporting critical energy infrastructure around the world, I recall the evolution of thought that was necessary, as well as the development of a new vocabulary.
This article looks at two scenarios from past experience, before giving some definitions to help a business leader understand the conversations.
Scenario 1: ISO vs. CEO Face-off
Here’s an example conversation after having just gone through due diligence, being acquired, and having discussions with the Information Security Officer (ISO) in the private equity team:
ISO: "It's clear that we need to focus on attack surface reduction to improve our security posture.? This will require a multifaceted approach that encompasses people, processes, and technology. Let's prioritize these initiatives and allocate resources accordingly to strengthen our security posture."
CEO: “Are there areas that you’re particularly focused on to reduce our risk?”
ISO: “We need to revisit our stance on RBAC, Zero Trust, network segmentation, and optimize our tech stack.”
Scenario 2: SaaS Vendor vs. Corporate IT
As a small-medium size B2B SaaS vendor, corporate IT is giving you the third degree about security, warning that they will not renew until an assessment it completed. They want to know you've got your act together before they sign on the dotted line.
During the opening discussion of an IT Governance Risk Screening process, the customer indicates, "They’ll be expecting to receive typical artifacts to assess the security posture and compliance with relevant regulations and standards."
Understand the Background
In both instances, whether the Board or a customer IT team, the other side wants to know you're not a cybersecurity disaster waiting to happen. They're not just looking for lip service – they want hard evidence that you've got your security game together. They're going to grill you with questions, and it's your time to shine, but having a sound meeting plan and deliberate communication strategy will be key to success!
Before we dive into the definitions, let's talk about the assumptions risk screeners might have about small businesses before the conversation begins. Understanding the interviewers' mindset helps you develop talking points and predict where questions are leading to.
1.??? Basic Security Measures: The business likely implements fundamental security measures such as antivirus software, basic firewalls, and regular password policies. However, these measures may not be comprehensive or tailored to the specific risks faced by the organization.
2.??? Limited Security Awareness: Without a dedicated CISO or cybersecurity team, there may be limited awareness of cybersecurity best practices among employees. Training and awareness programs may be ad-hoc or minimal, leading to increased vulnerability to social engineering attacks and human errors.
3.??? Ad Hoc Approach to Security: Security initiatives may be reactive rather than proactive, with a focus on addressing immediate threats as they arise rather than implementing long-term security strategies. This can result in gaps in security coverage and increased exposure to emerging threats.
4.??? Limited Resources: The business may have limited financial and human resources allocated to cybersecurity efforts. As a result, they may rely on off-the-shelf security solutions or free/open-source tools, which may not provide comprehensive protection against sophisticated cyber threats.
5.??? Vendor Dependency: If the business relies on third-party vendors for IT infrastructure or SaaS solutions, their security posture may be influenced by the security measures implemented by these vendors. However, the business may not have the resources or expertise to assess the security practices of their vendors thoroughly.
6.??? Compliance Concerns: Depending on the industry and geographic location, the business may be subject to certain regulatory requirements related to data protection and privacy. Without dedicated cybersecurity expertise, ensuring compliance with these regulations may be challenging.
Understanding the Goals and Constraints
Proper evaluation of potential B2B SaaS vendors is a critical process aimed at assessing security posture and risk for investment. During interviews, the IT governance risk screening team uses an intentional and meticulous approach to gauge responses, ensuring a thorough understanding of the vendor's capabilities. The team employs structured questioning techniques and actively listens for substance over jargon, seeking clear and concise responses that demonstrate the vendor's knowledge, transparency, and commitment to robust security measures.
Efficiency and effectiveness are paramount as these teams have high work loads. The risk screening team often adopts a streamlined approach, swiftly evaluating high-level responses to gauge IT maturity and alignment with organizational requirements. If the team encounters responses that raise red flags or indicate potential inconsistencies or gaps, they pivot quickly, delving deeper to decide whether the vendor's presentation of high IT maturity is real or merely superficial "fluff." This dynamic approach allows the team to efficiently identify areas of concern and manage risk.
Strategy for Success
Now that we've covered the how and the why, let's talk strategy. It might seem like they're out to get you, but they just want to know you're the real deal. So, when they come knocking with their questionnaires and interviews, here's what you need to do:
1.??? Keep It Simple, Stupid: Don't drown them in technical jargon. Keep it clear, concise, and to the point.
2.??? Show Them You Mean Business: Be transparent about your security measures and processes. Transparency builds trust – and trust seals deals.
3.??? Be Prepared to Pivot: If they smell weakness, they'll pounce. Stay one step ahead and have answers ready for every curveball they throw your way.
4.??? Own Your Mistakes: Nobody's perfect. If you've had slip-ups in the past, own them. It's better to be upfront than to get caught with your pants down later.
5.??? Don't Be Afraid to Push Back: If they're asking for the moon and stars, but you can only offer them a constellation, speak up! It's better to manage expectations upfront than to promise the impossible.
领英推荐
As a business leader navigating InfoSec technical discussions, I’ve found that being very intentional about word choice to answer questions and describe your team’s efforts is a fine line to walk.? Improper use of, or response to, jargon can be one of the flags risk screeners look for.? Therefore, choose a communication strategy that will keep the conversation within your comfort zone, giving you the ability to use enough jargon to build confidence while avoiding deeper dives.
While the team should assess understanding of fundamental security principles, practices, and methodologies, regardless of the specific terminology used, the team may perceive several possibilities if an interviewee does not use certain the terms during an interview, some good, some not so good:
Pros:
·???????? Communication Style: The interviewee may have a communication style that avoids technical jargon and focuses on conveying concepts in simpler or more accessible language. This approach could indicate a desire to communicate clearly and effectively with a diverse audience, which the team may view positively.
·???????? Adaptability: The interviewee's ability to convey complex concepts without relying on specialized terminology may indicate adaptability and versatility in communication. This trait could be valuable in collaborative environments where stakeholders have varying levels of technical expertise.
·???????? Contextual Awareness: The interviewee's choice of language may reflect an understanding of the audience and context of the discussion. While the risk screening team may prefer candidates who demonstrate familiarity with industry-specific terms, they also appreciate individuals who can tailor their communication style to suit the needs of different audiences.
Cons:
·???????? Need for Clarification: The absence of certain terms may prompt the risk screening team to seek clarification or further elaboration from the interviewee.
·???????? Depth of Understanding: The absence of specific terms could suggest that the interviewee may not possess in-depth knowledge of certain cybersecurity concepts or industry standards.
Definitions
Now that we’ve covered the background of the two scenarios, here are a few pointers a layperson to understand Information Security jargon at the beginning of the article:
Zero Trust Security Model: A security approach that assumes no trust, even for those already inside the network, and requires verification from anyone trying to access resources.
Plain Language: Instead of trusting everyone by default, we verify and authenticate every user and device, even those within our team and intranet network.
Attack Surface Reduction: The practice of minimizing the potential points of entry or vulnerability within an organization's systems and networks that could be exploited by attackers.
Plain Language: It's about shrinking the number of ways cybercriminals could sneak into our systems by closing unnecessary doors and tightening security measures.
Security Posture: The overall strength and effectiveness of an organization's security measures, including policies, procedures, and technical controls, in safeguarding against potential threats and vulnerabilities.
Plain Language: It's the collective stance and strength of our security efforts, covering everything from policies and procedures to the technical measures we have in place to protect against cyber threats.
Network Segmentation: The practice of dividing a computer network into smaller subnetworks to improve security, manage traffic, and minimize the impact of potential breaches.
Plain Language: It's dividing the network into different zones, with each zone having its own set of rules and security measures, isolating critical assets from less secure areas of the network, making it harder for attackers to move around freely if they breach one part of the network.
?Artifact (expanded explanation): While initial discussions of cybersecurity screening focus on “artifacts” that are documents (like policies, procedures, and reports), InfoSec professionals use the term in a broader sense than "document" or "report".
Here are a few reasons why information security professionals prefer the term "artifact":
1.??? Broad Scope: The term "artifact" encompasses not only written documents or reports but also includes items such as configurations, logs, system images, code, diagrams, physical devices, and any other evidence or residue of activity within an information system.
·???????? "Residue of activity" refers to traces or remnants left behind as a result of actions or processes that have occurred within an information system, including: logs and audit trails, file metadata, system Configuration Settings, Network Artifacts, Memory Artifacts, and Physical Evidence
2.??? Non-Documentary Evidence: In cybersecurity investigations and assessments, there are forms of evidence that are not traditional documents or reports. Using the term "artifact" allows them to refer to these diverse types of evidence without limiting themselves to written materials.
3.??? Standard Terminology: "Artifact" is a standard term used in the field of information security and is widely understood within the professional community. Using consistent terminology helps avoid confusion and ensures clear communication among professionals.
Conclusion
So, there you have it, folks – the secret sauce to acing those cybersecurity conversations and winning over the InfoSec pros; there's a balance to be held between too little InfoSec jargon and overcompensating with too much tech talk. A solid meeting plan and communication strategy will help these discussions go smoothly; winging it can easily put you in the hot seat.
I hope that this has been helpful. Check out another of my InfoSec communication articles as you progress on your journey.