The art of talking cybersecurity with top management

CISOs need to initiate dialogue with their managers

While the CISO must be a good "cybersecurity expert", he or she must also be able to get out of the office and engage in discussion with senior management, even if this very often means moving at a snail's pace.

Why talk cybersecurity with top management? 

Let's put it this way: without the support and trust of management, a CISO can't work, or at least can't do much!

Even if the situation is changing, managers still struggle to understand what cybersecurity is all about. The aforementioned CLUSIF MIPS study includes two revealing statistics on this point:

• 56% of budgets allocated to information security are completely called into question every year, with only 8% of budgets remaining unchanged.
• 40% of security budgets are spent on implementing solutions within the company, illustrating the fact that top management perceives cybersecurity mainly as tooling.

To succeed in their mission and win the necessary budgets, CISOs have no choice: they have to alert without provoking, educate without irritating, propose without demanding... in short, win over the decision-makers!

It's an ambition that requires patience and consistency, and often begins with observation and investigation.

Many CISOs find themselves far removed from the decision-making bodies. However, if they want to be listened to (and heard), they can be pro-active, whether it's a matter of one-off initiatives or day-to-day actions to be carried out over the long term. Here are a few examples.

• Appointment requests: Managers are short of time, but are still willing to meet at key moments (for example, a few months after taking up the position of CISO, or once or twice a year to discuss strategic issues). It's up to CISOs to try their luck and request a meeting when they feel it's appropriate!
• Field research and links with other contactsThe key to success: CISOs who find it difficult to gain access to senior management have every interest in observing and mapping their environment. Who does what? Who knows whom? Who has influence? By forging links with the right people, you can build your way slowly but surely up to the top!
• QuestionnairesSending out a questionnaire before a presentation is a good way for the CISO to find out what management is particularly interested in, as well as their level of maturity. It's also a way of learning more about the profile of the executives: their "dadas", their preferences in terms of presentation, their character traits... all elements that will enable the CISO to adapt to expectations and gain points.

Whatever the means used, CISOs have everything to gain from "fishing for information", by taking an interest in both business specifics and the psychological profile of managers. Gathering this information is an essential step in building an effective and engaging message.

How do you involve management in cybersecurity issues?

Managers are not like other people. They are short of time, have heavy responsibilities and, above all, are looking for help in making decisions. This means that CISOs have to position themselves as facilitators, adapting their approach and presentations accordingly.

Managers don't want to know or understand everything. In fact, they are only interested in the elements that help them make informed decisions. For this reason, CISOs need to communicate only the essential information.

As CIGREF rightly reminds us in its October 2018 publication "Visualize, understand, decide", the dashboard presented to the COMEX and Board of Directors must above all be adapted to the characteristics of the entity concerned, with a simple principle: "enable management to make the right decisions to cover cyber risk". While the report proposes a detailed framework for the information to be provided, here are the elements that should be given priority:

• Existing threatsWhat they consist of (president scams, phishing, negligence on the part of employees, etc.), why they are likely to cause significant damage to the business and why they are of particular concern to the company.
• The risks that these threats represent for our business
• The level of investment to cover these risks
• The latest incidents suffered by the company (what was involved, how the teams reacted, all with a pedagogical approach)

What about indicators? There's no need to present dozens of them, the ideal being to select those that will help management identify the degree of exposure to risk and assess the relevance of proposed measures.

Top management are not specialists in cybersecurity, and it's not uncommon to find wide disparities in their knowledge and understanding of the subject.

Here again, the CISO needs to adapt! There's no point in evoking technical details that won't "speak" to a manager. It's better to venture out onto the playing field, building a discourse around notions such as the company's long-term viability, business continuity, R&D protection and brand image.

Finally, and even if it's preferable to leave technical speeches to the closet, every CISO has a role to play as a trainer, by regularly making the effort to explain the meaning of the terms he or she uses, or by using analogies to promote understanding.

In this respect, the white paper "La cybersécurité à l'usage des dirigeants", co-published by OSSIR and CLUSIF, is an interesting source of inspiration. CISOs will find ideas for angles to make their discourse more concrete (risks linked to e-mails, cell phones, web browsing, etc.), as well as a glossary of simple, understandable definitions.

There's only one way to do it: to link the cybersecurity discourse as closely as possible to concrete elements, i.e. facts and figures! The CISO must therefore "project" management into a plausible scenario, in which he presents :

• events that could occur in the event of an incident (the impossibility of using the 612 workstations for at least 48 hours, the closure of a plant for 5 days, etc.).
• foreseeable consequences, such as loss of sales, customer disputes, damage to brand image, etc.
• the severity of these consequences (low, medium, high)
• the budget required to limit the risk as much as possible

The CISO can even go so far as to practice a form of storytelling, citing the example of a company that has had to deal with the situation described (preferably choosing an example with which management can identify, either because the organization is local, or in a similar sector of activity). Top management will be thrilled, and more likely to follow the CISO's recommendations!

It's not uncommon for managers to attend one meeting after another, and end up bored by the succession of presentations. To "wake up" and leave their mark, CISOs need to innovate with dynamic, effective presentations.

To achieve this, there's nothing like clear, concise dashboards, with visual representations to illustrate what you're saying.

There are also a number of animation techniques that can be used. To give just one example, every CISO should try at least once to poll his audience before presenting the state of security, with a simple question like "Do you think the company is adequately protected?".

It's an effective way of capturing attention, of surprising, but also of raising awareness if the answers given are not in line with reality.