New legislative requirements in the field of IT security are now an integral part of corporate governance. As a result, cybersecurity is no longer the preserve of the CISO alone, but is a subject of interest and questioning, and must be understood by the COMEX and CODIR of organizations.
This new challenge requires C-levels to get involved and understand issues for which they do not always possess the appropriate IT culture, in a field that is more often than not reserved for a public of experts. At the same time, CISOs need to adapt their communications to meet their management's need for understanding.
Against this backdrop, a number of questions arise.
- As a CISO, how can you effectively communicate IT security issues to your management team?
- What do C-levels expect?
- How do you translate technical issues into tangible business objectives?
Explanations.
Management increasingly aware of cybersecurity issues
Corporate executives are becoming increasingly vigilant about the importance of cybersecurity, as theESG studyfor Trend Micro shows.
But while 82% of respondents recognize that cyberthreats are getting worse, cybersecurity is still too often confined to IT teams: according to 62% of those surveyed, it is mainly the responsibility of the IT Department (Direction des Systèmes d'Information).
The good news is that the survey shows that decision-makers are becoming increasingly aware of this issue, with 85% of respondents noting a growing interest on the part of boards of directors.
The bad news is that this burgeoning interest is often (too) reactionary, occurring after major incidents...
Cybersecurity remains a complex subject for managers
Despite this heightened awareness of risk, business leaders are struggling to grasp the challenges of cybersecurity. This trend is particularly noticeable in small and medium-sized businesses, where resources are often limited.
According to Bpifrance and Cybermalveillance.gouv.fr, this reluctance stems from several factors. Firstly, the understanding of cyber risks is often superficial - leading to an underestimation of the stakes, and excessive delegation to the IT team.
To make matters worse,investment in cybersecurity products and solutions is often perceived as prohibitive, even though the financial consequences of an attack can be catastrophic. According to a study by Orange Cyberdéfense, 60% of companies hit by a cyber attack go bankrupt within 6 months! There is therefore an urgent need to make cybersecurity intelligible to everyone.
HOW TO TALK TO YOUR MANAGEMENT ABOUT CYBER?
The CISO's role is no longer simply that of a technical advisor. He or she must evolve towards a more strategic and communicative role, which involves linking IT security issues to the company's governance objectives and business vision.
Talk business rather than technical to your contacts
What's the main purpose of your pitch to management? Make them aware of the situation. To do this, you'll need to highlight :
- the challenges of cybersecurity ;
- the consequences of risks (damage to reputation, unavailability of business processes, financial penalties, etc.);
- how these relate to the company's objectives.
As Baptiste David, Head Of Market Strategy at Tenacy, explains, management is more interested in the commercial and budgetary repercussions of IT security risks than in the technical aspects and underlying organizational constraints: " The CISO needs to avoid technical language and talk business to business leaders. It's all about explaining why certain situations are problematic, and their potential impact on the organization ".
It is therefore important to make the terms you use as easy to understand as possible, so as to facilitate discussions with management. On this point, you may wish to refer to the white paper co-written by OSSIR and CLUSIF: La cybersécurité à l'usage des dirigeants (Cybersecurity for senior management), which gives a number of practical tips to make your discourse accessible, all accompanied by a glossary offering simple definitions such as DNS, BYOD, MFA, or Phishing.
Base your speech on facts and figures
To ensure effective communication, don't hesitate to project management into a scenario. Highlight the consequences of a successful cyber-attack on the company, such as the impossibility of using company-wide workstations for 72 hours, or financial losses on sales.
Alongside this scenario, add a retrospective of significant cybersecurity events in the company. These may include:
- internal safety events ;
- the results of a recent audit;
- the introduction of new regulations that have had an impact on corporate governance...
The idea here is to move from fiction to reality.
You can also monitor security incidents that have occurred in companies similar to yours (preferably French) to facilitate identification.
The aim is to keep management informed, without overloading them with superfluous details. It's about enabling them to ask questions and understand the cybersecurity trends that could affect their environment.
Don't multiply ratios
Too much data kills data: to remain intelligible, don't produce too many reports!
Keep in mind that each report must add value for management - in other words, provide them with information that informs strategic decisions and highlights progress or identifies new challenges.
As Baptiste David points out: " An annual report is insufficient to keep up with the rapid evolution of cybersecurity issues, while a weekly report risks saturating management with redundant information ".
For example, in the context of an ISO 27001 certification project that may extend over six months, the most appropriate format would be a quarterly report to demonstrate progress and enable the right decisions to be taken. And for more urgent matters or major incidents, ad hoc reports can be submitted without waiting for the next deadline.
Use Tenacy to support your analyses
To facilitate the work of CISOs, the Tenacy platform offers detailed, contextualized analysis, enabling a precise, real-time assessment of the company's IT security posture. Advanced data visualization features transform technical information into explicit graphs and tables, reinforcing your communication with decision-makers.
So you can monitor your company's cybersecurity, detect irregularities and create reports that everyone can understand. The trifecta, in short!