Mark SimosCybersecurity is often incorrectly perceived as a 'technical problem' that can be 'solved' (it isn't!) by business leaders and others.
*Security is an ongoing risk that requires ongoing work.*
This misperception is often accidentally created or reinforced by the security team.
If CISOs and security leaders communicate security in technical terms (via metrics, choice of words, budget justification, etc.), then business leaders will naturally expect it's a technical 'problem (to be solved one time with installation of prevention measures) and not an ongoing business risk/force to be managed.
There are several techniques to correct this misperception:
- Educating leaders with clear storytelling that describes cybersecurity as crime and espionage on computers (which it is) that clearly requires keeping up with human adversaries
- Intentionally avoiding technical and 'one-time' language (problems and solutions, etc.) in the words and phrases you use to talk about security.
- Relate security to something they already know
a. Financial terms - Quantify cyber risk using Open FAIRâ„¢ or other methods to clearly frames security and its impact in familiar financial terms (but be careful not to devalue human life, safety, health, etc. impacts that go well beyond financial risk).
b. Fiduciary duty - Relate how security is part of the legal obligation that organizational leaders have to act in the best interest of the shareholders (owners) of the organization. Threat actors can damage the interests of those shareholders and business assets, so those leaders have an obligation to implement effective security management. Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.
The fiduciary duty and accountability obligations associated with security are documented in the Security Roles and Glossary Standard Parts 2 and 3.1 - https://publications.opengroup.org/s252 (draft standard, feedback is welcome). Some more description of this standard is at https://www.linkedin.com/pulse/security-roles-glossary-mark-simos-uctze/
The Open FAIRâ„¢ standards are at https://publications.opengroup.org/t230
