AS cyber-security executives know, the job’s not restricted to devising and implementing solid defences to protect the organisation - another crucial aspect is convincing the CEO and board to greenlight the money and effort needed to implement your strategy.
If you fail to impress upon the higher-ups the merits of your plan, your enterprise remains vulnerable, your smart work is wasted and the best you can hope for is the satisfaction of saying “I told you so” after a breach.
That’s why CISOs and CIOs need to develop skills of persuasion alongside their security and tech know-how, says Melbourne-based infosec trainer Karen Darling, who is presenting at BrisSEC in Brisbane on March 26.
The first challenge - amid the covid upheavals in particular - is getting the leadership team to devote time to hearing your cyber-security advice, Ms Darling says.
“Getting the ear of people on the board or the leadership team is challenging because you are competing with all those other agendas, all those other risks and all those other parts of the organisation that are looking for budget to be improved and time from the leadership team.”
Need to be heard
Lack of clout can be another issue, Ms Darling says.
“There are still some organisations - as hard as it is to believe - who have IT teams that do not have a seat at the table. They are actually still just charged with keeping the lights on. They are not seen to be really strategic.
“So those people are not empowered, they are not being listened to, they are not being heard. That then creates a whole lot of flow-on problems. When people feel they are not being heard it doesn’t create good relationships internally.”
Ms Darling, CEO at ROI Solutions, advises security executives to use a three-pronged approach with the leadership team:
- Secure engagement
- Raise awareness
- Create trust
Speak their language
To attract and manage their attention, talk about the likelihood and consequences of a cyberattack and then speak their language, “which is about risk and governance and compliance, not how the technology works”.
A basic understanding, however, of the threat landscape and the technology involved is beneficial. “Help the board or leadership team to build their awareness around what the risks are and what you’re going to do about them. Help them to increase their tech knowledge, but only to the level that is relevant”.
“If you’re seen to be speaking their language, you are helping them to understand a bit more about the risk the organisation faces and you’re building your credibility, which creates trust.”
The leadership team will need to be reassured that your proposed measures will not excessively hamper normal operations and, potentially, profits.
“We’re going to strike a balance - this is very important - between what we are asking the organisation to do to manage its risks, and the need to run its day-to-day business.
“Assure them that the change is something that is manageable and your change process will encourage people to support cyber-security measures, rather than resist.”
All aboard
Even if you get the budget, implementation is doomed to fail without commitment and participation from the leadership team so you need to use your powers of persuasion to get them fully onboard.
“We believe it is impossible to implement successfully without engagement.”
Karen Darling is speaking at BrisSEC on the topic, “Managing your people risk: How to get real wins and improve your security posture”.
BrisSEC is being held at the Hilton Hotel on Friday, March 26. It is a free and exclusive AISA-member event.
REGISTER here >> https://bit.ly/3hDmjbU
