We’re breaking down the language barriers around Cybersecurity. But we have a ways to go…
Los Angeles, Calif. – Sept. 16, 2019
Is there anything that can ruin a CEO’s day faster than a data breach? I don’t think so.
A cyberattack can cause instant reputational harm, inflict millions of dollars in damage costs, drive down a stock price, create shareholder unrest, and put a dent in employee morale.
So what is a CEO to do? We always encourage cyber literacy and education but how far do we CEO’s need to go to familiarize ourselves?
We have a serious language problem in our field, and it creates exclusion – from the everyday consumer, to job seekers looking to get into security, to CEOs and board members.
Ann Johnson, corporate vice president, Cybersecurity Solutions Group for Microsoft, recently penned an article that says we should all be able to speak the language of cybersecurity. She asserts that our industry needs to avoid hyper technical or sensationalistic terms in order to become more inclusive.
Johnson’s message is spot on and it should become a battle cry against exclusion. Although her article is aimed at inclusion from the standpoint of getting more people involved in cybersecurity, it’s equally important around C-suite executives and board members.
Other cybersecurity experts are chiming in on this problem.
“The lingo we use with each other – two-factor authentication, multi-factor authentication, are you using this framework or ISO twenty-seven-thousand-one – means something to us but it means nothing to everybody outside our industry – including the businesses and customers we’re supposed to serve,” quips former White House CIO Theresa Payton. “It’s almost like we’re speaking a foreign language and it’s hard for them to get in the club.”
This really got me thinking. When I speak to entrepreneurs, I often tell them to focus on their core business operation and outsource their weaknesses when they can afford it. When you first start out you wear multiple hats. You’re an accountant, a salesperson, and a marketer. Over time, as you scale, you’ll focus on your strengths and get help in the areas you either don’t love, or don’t excel at.
Similarly, as a CEO you don’t need to be an expert in everything – but you need to know enough to be dangerous. In my opinion that means asking the right questions.
When it comes to security, it’s easy to get lost in a conversation about sandboxing, detonation chambers, whitelists, blacklists, and so forth, as Johnson points out. Instead of staying quiet in the room CEOs need to focus on the basics and understand what’s going to inform their decisions and overall strategic security program going forward. In my opinion the key cyber terms should be around assets, threats, defenses and needs. Leave the technical jargon at the door and allow your team to fill in the HOW – while you ask about the WHY.
I recommend pushing your team to explain the answers to the questions below and familiarizing yourself enough with your environment and its protective measures in order to be dangerous. Cover the basics of security, not the full language of security.
- What are our crown jewels? (Assets)
- Who would want to steal/disrupt/destroy the Crown Jewels? (Threats)
- What do we have in place to stop that from happening? (Defenses)
- Where are the gaps? (Needs)
From here, more conversations can take place:
- What is the timeline for change/roadmap/development?
- What investment is required to achieve these objectives
- Are there compliance measures we need to be mindful of or adapt to?
Next month, October, is National Cybersecurity Awareness Month, also known as NCSAM. It’s all about creating awareness and education on cybersecurity. There’s no better time to regroup with your team and put the language of cybersecurity into practice. Keep it simple by focusing on four key terms: Assets – Threats – Defenses – Needs.
To Your Success,
Originally posted on Cybercrime Magazine.