How Should We Discuss Cyber With the C-Suite?
How detailed do we get in our conversation with business leaders? Do we dumb it down? Or is that a recipe for trouble?
Here's our last Defense in Depth for 2022! Please listen to me and my co-host Geoff Belknap , CISO, LinkedIn and our guest Lee Parrish , CISO, 纽威品牌公司 discuss what's the right way to approach cyber with the C-suite. Here were some of our key points in discussion. Please provide your insight.
Understandings, not details, so decisions can be made. “The executive team expects the CISO/security leadership to understand the details and apply that understanding to solve the business problem at hand," said Jonathan Waldrop of Insight Global . “If you cannot communicate the technical strategy decisions that you need from your executive leaders in simple terms that relate to those business decisions that they need to make, you need to work on that,” said Geoff Belknap. “It is not the other way around.”
The C-suite should not and will not become cybersecurity experts. "Many executive decision makers are not technical and the cost to transfer that knowledge becomes too great,” said Paul Weizer of Redan Strategies LLC . “Trust in your workforce with periodic status updates will go further than making everyone in the C-suite a software engineer or data scientist." The discussion with the C-suite should be periodic, sequential, and each conversation should build on each other like chapters in a book, said Lee Parrish. Keep in mind, said Belknap, “You are the security part of the business team.”
Simplicity is not the goal. Clarity and concise communications are the objectives. "The idea that the person who needs it explained to them simply should be making the investment decisions about it is insane. 'Clearly' - Yes. 'Concisely' - Absolutely. 'Simply' - is for students,” said Bull Holland, PhD of BMNT . What’s simple is how you break up complex concepts, like ransomware. You don’t ask the board if they want protection against ransomware, noted Belknap. Instead, you first have detailed conversations with the teams as to how you tackle ransomware and explain to the board what mitigations you do have in place and what can be done in addition to reduce exposure and possible damage from a potential attack.
C-suite must have some base level of technical understanding. Christine Kleiber, SPHR, SCP of United States Department of Defense said, "We cannot make data driven decisions if we don't have digital fluency. We cannot outsource our technological competence." This may seem somewhat contrary to Geoff’s previous comment, but there is a minimum level we have to expect. Geoff remembers the days when executives wanted all their emails printed out.
Listen to the full episode here or over on our blog where you can read the entire transcript. And if you’re not already a regular subscriber to Defense in Depth, please go ahead and subscribe now . This is our last episode of Defense in Depth for 2022. We’ll be back first week of January, 2023 for a new episode. Until then, Happy New Year!
Thanks to all our other contributors (witting and unwitting): Shari Gribbin of CNK Solutions Group , Ryan M. of United States Department of Defense , Duane Gran of Converge Technology Solutions Corp. , and Ivan Konermann of Wingspan Performance .
HUGE thanks to our sponsor Qualys
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter?Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be?Jeremy Embalabala , CISO,?HUB International .
Thanks to our?Cyber Security Headlines?sponsor?Fortra
领英推荐
TOMORROW - Friday, December 16th, 2022: "Hacking Non-Traditional Cyber Risk" -?Super Cyber Friday
Join us TOMORROW, Friday, December 16, 2022, for?“Hacking Non-Traditional Cyber Risk: An hour of critical thinking about how your third parties’ risks affect your business.”
It all begins at 1 PM ET/10 AM PT on Friday, December 16, 2022 with guests?Jonathan Ehret, ?vp, strategy and risk,?RiskRecon, A Mastercard Company ,?and?Steve Zalewski , co-host,?Defense in Depth. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our?Super Cyber Friday?sponsor?Mastercard
Jump in on these conversations?
"Gov. Hogan orders TikTok ban for Maryland state employees because of cybersecurity risk"?(More here )
"ChatGPT shows promise of using AI to write Malware"?(More here )
"Settling a debate which a skeptic said multi monitors is not the normal for infosec work spaces."?(More here )
Coming up in the weeks ahead on Super Cyber Friday we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com .
Interested in sponsorship,?contact me,? David Spark .
Thanks for sharing, David Spark. Those tenets make sense, and I think they also hold for the BoD, including the part about a base level of technical understanding. We’ve held regular education sessions for our BoD, and I know they’ve been much appreciated.
Business Leadership must-haves...Communication, Accountability, Feedback, Behavioral Performance, Better Meetings, Ownership, Questions
1 年Hey David Spark - thanks for the note on my contribution. I’m not even sure how I unwittingly helped. What in particular did I do that was supportive as you put this great piece together?
Chief Information Security Officer (CISO) at Trustpilot / Co-founder of Cyber Scotland Connect / Global Top 100 CISO / Speaker
1 年I report on the current state of cyber risk; what was achieved in the last quarter and what are we doing next quarter to further reduce risks. Together with a general industry & incident update. I feel this is reasonable. Metrics are really really hard because what’s meaningful for us day to day, means little to the Board. I’d also like to strategise truly multi-year, but I find that challenging. I love getting the opportunity to evangelise what we do at the most senior levels, but turning months of progress into very concise nuggets of info, easily understood by all, is certainly tough!
Cybersecurity Lawyer // Risk, Regulatory & Compliance Exec // 20+ years Fortune 100 & Big 4 leading across critical infrastructure security & operations // Managing Partner leading Hybrid Legal & Business Solutions Firm
1 年Nice - simple to the point. I would add on the "transfer of technical knowledge and trust in" part - if you integrate more cross-functional capabilities all the way down the silos (business skillsets that have an aptitude for understanding tech) then you will ensure that the flow up adequately considers both the technical/cyber and the other aspects all together at each level as it moves up to the C-Suite and therefore is much more trustworthy when it arrives. Happy Holidays!
Tech Entrepreneur & Innovator | Founder of WatchPoint IT, Axis Backup & Canauri | Speaker on Cybersecurity & AI Trends
1 年I've found it to be somewhat of a delicate balance when addressing a C-Suite (or any audience) about cybersecurity. How much information is too much or what's too technical can be slightly different with every group. Get to know your audience as much as you can, and if you notice their eyes start to glaze over, I've found it helpful to get a Q & A session going. Regardless, clear and concise communication is key.