Articles
>
The art of discussing cybersecurity with top management

The art of discussing cybersecurity with top management

According to the 2020 edition of CLUSIF's study "IT Threats and Security Practices in France," conducted among 350 companies with more than 100 employees, the CISO function is attached to senior management in 56% of cases. This still low figure illustrates the difficulty of cybersecurity in occupying a prominent place at the top management level. How can the CISO remedy this situation and work towards greater recognition of their role by senior management? Perhaps simply by daring to take the first step!

October 8, 2022
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

CISOs must initiate dialogue with their management

While the CISO must be a skilled cybersecurity expert, they must also be able to step outside their office to engage in discussions with senior management, even if this often requires a delicate approach.

Why discuss cybersecurity with top management?

Let's be honest: without the support and trust of management, a CISO cannot do their job, or at least not very much of it!

Even though the situation is changing, leaders still struggle to understand the challenges of cybersecurity and what it entails. The aforementioned MIPS study by CLUSIF includes two revealing statistics on this point:

  • 56% of information security budgets are completely reevaluated each year, with only 8% of budgets remaining untouched.
  • 40% of security budgets are allocated to implementing solutions within the company, which illustrates the fact that top management primarily views cybersecurity as a tool.

To carry out their mission and secure the necessary budgets, CISOs have no choice: they must alert without antagonizing, educate without annoying, propose without demanding... in short, win over decision-makers!

This is an ambition that requires patience and perseverance, and often begins with observation and investigation.

Prepare the ground, construct the discourse

Many CISOs find themselves far removed from decision-making bodies. However, to ensure they are listened to (and heard), they can take a proactive approach, whether through one-off initiatives or daily actions carried out over the long term. Here are a few examples.

  • Requesting a meeting: Executives are busy, but they are still willing to meet at key moments (for example, a few months after the CISO takes up their position, or once or twice a year to discuss strategic issues). CISOs should seize the opportunity and request a meeting when they feel it is relevant!
  • Field research and connections made with other stakeholders: CISOs who find it difficult to gain access to senior management would be well advised to observe and map their environment. Who does what? Who knows whom? Who has influence? Building relationships with the right people gives you the opportunity to slowly but surely work your way up to senior management!
  • Questionnaires: Sending out a questionnaire before a presentation is a good way for the CISO to find out what particularly interests management, but also to gauge its level of maturity. It is also a way to learn more about the profiles of executives: their individual preferences, their presentation preferences, their character traits, etc. All of these elements will enable the CISO to adapt to expectations and score points.

Regardless of the methods used, CISOs have everything to gain by "fishing for information," taking an interest in both the specifics of the business and the psychological profile of its leaders. Gathering this information is an essential step in developing an effective and engaging narrative.

How can management be involved in cybersecurity?

Executives are not like other stakeholders. They are pressed for time, have heavy responsibilities, and above all seek assistance in decision-making. This requires the CISO to position themselves as a facilitator, adapting their approach and presentations accordingly.

The right level of information

Managers don't want to know or understand everything. In reality, they are only interested in information that helps them make informed decisions. For this reason, the CISO must communicate only essential information.

As CIGREF rightly points out in its October 2018 publication "Visualiser, comprendre, décider" (Visualize, understand, decide), the dashboard presented to the COMEX and the board of directors must above all be adapted to the characteristics of the entity concerned, with a simple principle: "enabling managers to make the right decisions to cover cyber risk." While the report provides a detailed outline of the information to be provided, here are the key points to communicate:

  • Existing threats: what they consist of (CEO fraud, phishing, employee negligence, etc.), why they are likely to significantly impact the business, and how they particularly affect the company.
  • The concrete risks these threats pose to business
  • The level of investment required to cover these risks
  • The latest incidents experienced by the company ( what they involved, how the teams responded, all with an educational approach)

What about indicators? There is no need to present dozens of them; the ideal approach is to select those that will help management identify the degree of risk exposure and assess the relevance of the proposed measures.

Proper language

Members of top management are not cybersecurity specialists, and it is not uncommon to find significant disparities in their knowledge and understanding of the subject.

Once again, the CISO needs to adapt! There is no point in discussing technical details that are not meaningful to a manager. It is better to venture into their territory, building a discourse around concepts such as the sustainability of the company, business continuity, the protection of R&D, and brand image.

Finally, even if it is preferable to leave technical jargon aside, every CISO has a role to play as an educator, regularly making an effort to explain the meaning of the terms they use, or using analogies to promote understanding.

In this regard, the white paper "Cybersecurity for Executives," co-produced by OSSIR and CLUSIF, is an interesting source of inspiration. CSOs will find ideas for making their message more concrete (risks associated with email, mobile phones, web browsing, etc.), as well as a glossary offering simple and understandable definitions.

The right approach

There is only one: link the discourse on cybersecurity as much as possible to concrete elements, i.e., facts and figures! The CISO must therefore "project" management into a plausible scenario, in which he or she presents:

  • the consequences that could arise in the event of an incident (the inability to use 612 workstations for at least 48 hours, the closure of a factory for five days, etc.)
  • the foreseeable consequences, such as loss of revenue, disputes with customers, damage to the brand image, etc.
  • the severity of these consequences (low, medium, high)
  • the budget required to minimize the risk

The CISO can even go so far as to use storytelling, citing the example of a company that had to deal with the situation described (preferably choosing an example that management can relate to, either because the organization is local or in a similar industry). This is sure to send shivers down the spines of top management, resulting in a greater willingness to follow the CISO's recommendations!

The right pace

Very often, executives attend one meeting after another and end up tired of the succession of presentations. To "wake them up" and make an impression, CISOs would do well to innovate by focusing on dynamic and effective presentations.

To achieve this, there is nothing better than clear and concise dashboards featuring visual representations that illustrate the message.

There are also many facilitation techniques that can be used. To cite just one example, every CISO should try at least once to gauge their audience's opinion before presenting the security status, with a simple question such as "Do you think the company is adequately protected?"

It is an effective way to capture attention, surprise people, but also raise awareness when there is a discrepancy between the answers given and reality.

The right tool

The first tool designed by CISOs to help CISOs in their organizations. A flexible and collaborative SaaS platform, our cybersecurity management solution enables every CISO to:

  • save time on worthless and time-consuming tasks
  • regain visibility by being able to develop and monitor dashboards efficiently and comprehensively
  • ensure that actions are aligned with objectives
  • understand what this means for relations between the cybersecurity department and top management

By providing a 360° view of cybersecurity and thanks to its many features dedicated to cybersecurity management, Tenacy enables CISOs to present the key points of their activity to senior management. Our solution also allows them to regain valuable time and offer the company everything that adds value.

Contact us
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020