How to talk to your boss about cybersecurity

The fact that you’ve had experience may actually be an advantage. 

This isn’t about you.

We all want to warn our bosses about cybersecurity. We may not be proud about our past – there was 1999 and our flippant install of Napster on a laptop that surprisingly lasted us through college. There was the exchange of rewritable CDs with friends that makes you wonder how any of us made it through the early 2000s avoiding identity theft (or so we figure).

But it’s 2021.  We're more savvy internet users now, the importance of data privacy, and the ramifications of the bad guys stealing government data - we get it.

We know better than to click page two of Google search results.

Your boss should know these things, too.

Experts disagree.

If it is not some random MSP promising CMMC compliance “in hours,” it’s another group promising magical camaraderie but attached to a longer conversation that may never actually happen.

Consider your boss. How do you typically approach subjects on which he’s adversarial? Does he push back on cybersecurity improvements because he sees it as a money-grab? Or because he truly doesn’t understand what you do? 

How can you help him understand it?  Flowcharts? A PowerPoint with animation? A team-building group-viewing of Sandra Bullock's "The Net"?

When to lie.

In our opinion?  Well, you didn’t hear it from me, and I’ll deny it if you ever tell anyone I said so, but sometimes, the white lie helps to bridge the gap and cross into “realness” quicker.

Do you know someone who knows someone who went out of business after a phishing attack? Well, perhaps there are less “someones” in between and you know that person first-hand.  

The whole truth?

Does your boss really need to know the reasoning behind group policies or what distinguishes FIPS-validated hardware from that $7 webcam you bought off of Wish.com?

Assuming your boss is part of the C-Suite, they would appreciate you provide them with high-level information. Come prepared with the "why," but don't expect to spend a lot of time in the weeds. Explain things simply, clearly, and confidently. If you can do that, you will also gain the trust of your boss.

Say what you mean to say.

Don't beat about the bush. Say what you mean to say:

"We currently do not use MFA and that is a major problem that I can resolve with your support."

"The open items on our POAM need to be addressed and I have a game plan I'd like to discuss with you."

"As much as I can appreciate the sentiment, I don't think the Smart Fridge in the breakroom is necessary. Someone added caviar and Dunkaroos to the appliance's shopping list."

What have you learned?

Before you walk into his office, play it out in your head.

How does he respond to your opening line? Is he defensive? Is he open to ideas, pending he believes they coincide with budget estimates? Is he distracted? Does he understand terminology you're using?

You could say it like this:

"I don't know about you, but this CMMC-stuff is coming at me at lightning speed. It's a wonder anyone not involved in IT and cybersecurity on the daily can do anything but tread water. Can I bring you up to speed with what I've learned and what I propose we do next?"

Or like this:

"I wanted to thank you for green-lighting that MFA initiative. We've made a step in the right direction. Can I offer you a couple of ideas and we can talk about a timeline for the next project?"

Or even like this:

"Do you want the good news or the bad news? Bad news first? I think Jim scrapped $150,000 worth of parts when he fat-fingered a program this morning. Good news? I finally got around to updating those access policies."

Okay, maybe don't use that last one.

Don't just talk. Listen.

You can learn a lot by listening. Hear your boss out. Find out what he [thinks he] knows. That can help you approach topics and challenges appropriately.

Stay calm.

Whatever happens, try not to raise your voice. I know it's frustrating that he unironically calls the internet the "interwebs" and he has a shared Facebook account with his wife, but remember: Not everyone gets the 0s and 1s like you.

Good luck!

Cybersecurity isn't a piece of cake. If it was, the DIB would be NIST 800-171 compliant (for real).

The article above is a parody on an article about talking to your kids about drugs, which is not, in fact, a funny topic. Also, the use of “him” in the article above is a catch-all. I recognize and celebrate the MANY women bosses out there. The rule in comedy is to keep it short, which is what I tried to do. 

Photo from Andrea Piacquadio via free-photo site Pexels