While most business leaders agree that cybersecurity has significant value, determining exactly where and how to spend company dollars on training and infrastructure continues to be a point of disagreement within organizations. Intelligent communication using a shared vocabulary, according to a recent Focal Point Data Risk report by the Cyentia Institute, is vital to achieving consensus, and a comprehensive security plan.
As the barriers between the c-suite and IS department continue to diminish, thanks, in part, to widespread adoption of a chief information security officer (CISO), a significant problem remains in “the critical, strategic area of cybersecurity measurability.” The solution, proposed by Cyentia, is a “Cyber Balance Sheet, which borrows familiar terminology of assets and liabilities to improve communication and consensus around cyber risk.” Properly assessing corporate position and priorities, including measuring and expressing risk, is impossible without common values and metrics, and, in turn, a common language. Among the “assets” and “liabilities” addressed within the report, companies must “balance” physical security concerns, including hardware, software, data and systems, against intangible assets, such as brand reputation, customer loyalty, and human capital. A “balance sheet” that includes the range of assets and liabilities helps provide “a complete picture of…risk posture, enabling better awareness and more informed decisions,” and a more robust information security program.
Joan Goodchild, writing for IBM’s Security Intelligence, provides additional tips for CISOs, who must “learn to speak the language of business,” and to show executives how spending both increases security posture and enables key business goals. In particular, Goodchild recommends CISOs learn “Three R’s: Reputation, Regulation and Revenue” as primary concerns among board members, and opportunities to segue into security issues. Finally, as cyber-anxiety continues to increase among businesses and consumers, CISOs should be careful to bring “good news” and pay attention to “context” in presenting to key decision makers.
Echoing these considerations, Phil Gardner, Founder of IANS, encourages CISOs to link information security to business priorities, and to better understand overall company values, including data assets, as well as InfoSec expenditures, in order to increase “clout with the board and c-suite.”
For those cyber-aware organizations committed to developing and improving their security policies and procedures, maximizing effective communication among corporate stakeholders is a vital part of a robust information security program.