Three practices to make Cybersecurity a business matter

In a recent panel conducted by IT Security around the "State of the Nation" of Cybersecurity, one of the points raised and debated was whether Cybersecurity is now a topic on the boardroom table and how involving management in Cybersecurity has evolved.

The most recent attacks in Portugal, besides the impact on the services of the targeted companies and their clients, have brought more attention and media focus around Cybersecurity. Without a doubt, many organisations, no matter how prepared they were, followed this increase with proper concern and took the opportunity to review the state of preparedness of the various processes that composes the lines of defence and response to incidents.

Many leaders and managers became more alert and began to see Cybersecurity as a really important topic for organisations.

The question that many professionals still raise is whether this attention and importance that Cybersecurity is having due to these events will be enough and will last in time. In other words, after the panic and impact that many organisations had, will we not see a return to the old security practices, very focused on reaction and where many security professionals will continue to complain about lack of means and lack of organisational relevance?

There are many ways we can approach the relevance and role of Cybersecurity in organisations. Knowing that no organisation is immune to being attacked, the ones best prepared will be those that, realising that Cybersecurity is a business issue, will normalise it, include cyber risk in corporate risk management and "distribute" the responsibility at all levels, from leadership to employees.

Our contribution, from security professionals and leaders, is to ensure this normalisation, change mindset and put the focus on the organisation and the fulfilment of its mission. For that, our organisational knowledge is important and communication is crucial to be able to provoke on a daily basis the change of paradigm, leading Cybersecurity to be seen as a real "Business Enabler".

With this in mind, I want to share three topics/practices where we, the leaders and security professionals, should invest more time and attention in order to be prepared to progressively make Cybersecurity a business issue and contribute to the improvement of the organisations and, consequently, the state of the nation.

Three practices to make Cybersecurity a business matter

1. Financial literacy and business knowledge

For Cybersecurity to really be a business function, it is important to understand that our role is to be "translators" from a very technical language to a business language that is perceptible by executives, thus resisting to have a too technical speech, where we feel more comfortable but which may not have the expected reception.

It is equally important to invest in business knowledge and financial terminology. This does not mean that we should be management "experts", but we should be familiar with terms such as EBITDA, P&L, Capex, Opex, among others. We should also know how the organisation is managed, budget cycles, financing and business models. To be able to place Cybersecurity as a business function, we must know the organisation well.

2. Strategy and planning

There are diverse literature on strategy, the difference between strategy and planning, value generation and business objectives. Much of this literature is read, studied and put into practice on a day-to-day basis by leaders in organisations. The "value generation" (for the customer, shareholders, employees) is always present when we hear about strategy.

So, how can we associate Cybersecurity with value generation? In other words, how will we manage to be at the centre of the organisational strategy and contribute to value creation? For instance, if the organisation has innovation as a core value, how can Cybersecurity contribute, without prohibiting, to enhance the generation of value?

Understanding strategy and value creation in the organisation will contribute to give us more weapons to place Cybersecurity as a "Business Enabler". Understanding strategy will also allow us to design Cybersecurity programs aligned with the organisational objectives, bringing added value.

3. Leadership and communication

Our ability to lead and influence is to a great extent one of the crucial points for Cybersecurity success. How are we seen in the organisation? A leader who is at the service of the organisation or a "vigilante" for those who violate Cybersecurity policies? And for our teams? What we know today as "Servant Leadership" can help find a route to help the team, valuing and framing in the purpose of serving the organisational values and objectives, especially in a time of shortage of specialised resources.

Communication is an important tool of a good leader. Personally, it is not something natural and so I outlined some time ago a journey to improve the form of communication, simplify the speech, add elements such as "storytelling" to quickly reach the audience. All of this with the purpose of reaching the recipient of the message.

Therefore, with all this organisational knowledge, financial knowledge and understanding of how to align the security strategy with business strategy, if there is no ability to communicate effectively, we will not be able to influence the organisation and promote Cybersecurity to a business matter.

In conclusion, for Cybersecurity to become more and more a business topic, we have to do our part in understanding the business, speak the same language as the executives, be clear in our communication for each target audience and, above all, have the Cybersecurity strategy completely aligned with the business strategy, objectives and organisational values.

This article was first published in IT Security Expert section. Can be found here.