The Story is What Matters
Edward Marchewka
Strategic Executive ? Cybersecurity & Risk Management ? IT Strategy, Digital Transformation, and Talent Development ? Driving Innovation in Non-Profit & Private Sectors ? Dissertation Chair & Adjunct Professor
Several scholarly sources have stressed that better communication with the board is needed (Al-Moshaigeh et al., 2019; Anders, 2019; Gallagher et al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019); however, the articles fall short of prescriptive direction on executing and delivering compelling communications, and the problems within cybersecurity continue.
The need to speak the language of business is called upon in the literature (Blum, 2020; Karanja & Rosso, 2017; Rowe, 1998; Wright, 2021). The specifics of the language of business could not be agreed upon other than it is not singularly defined. The best approach to the language of business is simply terms that matter to the business. For example, if money is the most important, then finance or accounting is the language of business. However, if patient safety is most important, then patient safety is the language of the business (Wright, 2021).?
The lack of specificity of business language has led to using the model proposed by Marchewka (2018; as cited in Fitzgerald, 2018) as a presentation format using six categories for aggregating the scores. These six areas addressed the three main areas of cybersecurity, confidentiality, integrity, and availability (Harris & Maymi, 2021), and three business categories, people, reputation, and finance.
For years I have advocated using aggregated risk metrics when telling the cybersecurity story to executives and board members. This point of view was primarily driven by information gathered from other professionals and colleagues in the field. The advocacy for aggregated metrics was also driven by peers stating that their boards had asked for single scores to reflect the performance of the cybersecurity program.?
However, risk perception is not changed based solely on the presentation tool of the risk metrics, aggregated or tactical. Rather, risk perception remains the same with both tools, meaning both could deliver the same message depending on how the audience prefers to hear that message.?The attribution of the delivery mechanism to the risk perception would be categorized as a causal fallacy (Vleet, 2012).
Improving executive understanding of cybersecurity risks continues to remain a need. Part of improving the understanding of risks is to close the information asymmetry gap and reduce the affective response (Garcia Perez et al., 2018; Wu et al., 2019). The message, reasoning, or business circumstances behind the metrics, rather than the presentation format, could help drive the cybersecurity risk message.
Improving trust may be one method to achieve the goals of reducing information asymmetry and reducing affective response.?Having specific conversations to discover the exact messages that resonate with the specific audience may improve communications as well. Lastly, as said before, speak in terms that the business understands and that means the terms that resonate with the audience.
References
Al-Moshaigeh, A., Dickins, D., & Higgs, J. L. (2019). Cybersecurity risks and controls. CPA Journal, 89(6), 36–41.
Anders, S. B. (2019). Cybersecurity tools for CPAs. CPA Journal, 89(6), 72–73.
Blum,?D. (2020). Manage risk in the language of business. In?Rational cybersecurity for business: The security leaders' guide to business alignment?(pp.?123-156). Apress. https://dx.doi.org/10.1007/978-1-4842-5952-8_5
Fitzgerald, T. (2018). CISO compass: Navigating cybersecurity leadership challenges with insights from pioneers. CRC Press. https://doi.org/10.1201/9780429399015
领英推荐
Gallagher, C. G., Zielinski, K. L., & Boyle, D. M. (2019). The more you say. Internal Auditor, 76(2), 49–53.
Garcia Perez, A., Madzudzo, G., & Morris, D. (2018). Cybersecurity and the auto industry: The growing challenges presented by connected cars. International Journal of Automotive Technology and Management, 18(2), 105. https://doi.org/10.1504/ijatm.2018.10013319
Harris, S., & Maymi, F. (2021). CISSP all-in-One exam guide (9th ed.). McGraw-Hill Education.
Islam, M. S., Farah, N., & Stafford, T. F. (2018). Factors associated with security/cybersecurity audit by internal audit function. Managerial Auditing Journal, 33(4), 377–409. ?https://doi.org/10.1108/MAJ-07-2017-1595
Karanja, E., & Rosso, M. A. (2017). The chief information security officer: An exploratory study. Journal of International Technology & Information Management, 26(2), 23–47. https://scholarworks.lib.csusb.edu/jitim/vol26/iss2/2
Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12–15.
Rowe, J. (1998). No such thing as...the language of business: Colourless green ideas sleep furiously. Management Decision, 36(2), 117. https://doi-org.proxy1.calsouthern.edu/10.1108/00251749810204205
Vleet, J. E. (2012). Informal logical fallacies: A brief guide. University Press of America.
Weill, P., Apel, T., Woerner, S. L., & Banner, J. S. (2019). It pays to have a digitally savvy board: Having board members with experience in digital business is the new financial performance differentiator. MIT Sloan Management Review, 60(3), 41–45.
Wright, R. S. (2019). Should accounting be the language of business? Research Technology Management, 62(4), 53–55. https://doi-org.proxy1.calsouthern.edu/10.1080/08956308.2019.1613121
Wu, K., Sorensen, S., & Sun, L. (2019). Board independence and information asymmetry: Family firms vs non-family firms. Asian Review of Accounting, 27(3), 329-349. https://doi.org/10.1108/ara-05-2018-0110
President & CEO at ComplyAssistant
1 年Edward, thanks for sharing!