With security incidents in the news nearly every week, it's more important than ever for a company's senior leadership team to have a solid understanding of cybersecurity essentials, and how cybersecurity can fit into compliance with industry standards and regulations.
In a survey conducted by the National Association of Corporate Directors, 38 percent of corporate directors view cybersecurity as a top threat for 2018. Business leaders are less confident about cyber risk preparedness than they were a year ago, with only 37 percent of board member respondents saying they feel confident or very confident that their company is properly secured against a cyberattack (compared to 42 percent last year). These numbers demonstrate that it is critical to have a clear line of communication with senior leaders so they can be up-to-speed on the state of the company's cybersecurity practices.
While in the past it may have been necessary to explain the importance of cybersecurity to leadership and why it is an essential investment, today upper-level management is well aware of the need for cybersecurity programs within an organization. A chief security officer (CSO) doesn't need to do as much selling on the topic of why cybersecurity is critical. It's now about trying to narrow the focus to translate the general anxiety and fear around cybersecurity into actionable steps that people can take within their day job to get to a better security posture. Across customers, executives, and throughout many industries, we're seeing senior leadership proactively ask about cybersecurity and compliance – “Are we secure?” “What measures do we need to put in place to be more secure?” and “Are we keeping up with industry standards and regulations?”
The Common Controls Framework
To help answer those questions, we created the Common Controls Framework (CCF) – our system for helping to streamline regulations and standards into a format that is easy to reference and understand. It's very valuable for conversations with the leadership team – it helps guide the conversation without getting bogged down in overly-technical language and provides measures that leadership can easily understand. Compliance is a critical area to communicate clearly with leadership, customers, key stakeholders and regulators. With dozens of industry standards representing thousands of controls to keep up with, and various teams working to meet the necessary standards, it helps to have a centralized framework to help keep track of everything.
The CCF also helps align cybersecurity with the corporate mindset that can be scalable for small businesses to large enterprises. Scalability and execution of a large program like CCF can be a major challenge, but it can establish parameters to keep security and compliance projects on track, helping to avoid “mission creep” and rising, unexpected costs that can otherwise plague enterprise-level security projects and be a point of concern for corporate leadership.
Reporting to Leadership
Channels of communication between leadership and security teams are more open than ever since security is increasingly seen as a company-wide priority. We suggest having regular meetings with the full leadership team to help stay in lock step with one another. In these meetings, you'll want to present on perceived risks across different parts of the organization, security incidents that may have occurred, security team investments including headcount, and priorities or inquiries you may be hearing from customers. Talking through biggest concerns as CSO – credible threats and adversaries – and explaining what the team is doing to help defend against them. Also share perspectives on the current risk environment, making sure to describe risk status in terms that can be understood by non-security professionals. These are meetings where you can raise cases that you may need another leader's help, whether additional funding for staff or a project, or navigation within the company to get something accomplished.
Developing Good Relationships
Though security is typically now seen as a company-wide priority across industries, different individuals within a company's leadership team will have varied levels of interest in security and compliance details. Getting quality time one-on-one or in small groups with those who are more invested in your perspective areas is an important way to build good relationships and ensure you have advocates for your security program in the highest levels of company leadership. Talk about security issues at a high enough level so they can bring their expertise to bear. For example, in a recent interaction, a colleague was able to extrapolate their own experience when we discussed the cybersecurity risk insurance process. They appreciated feeling fully aligned and able to contribute to security discussions.
Working together across leadership teams is essential to a well-functioning security program and company. With growing interest in security issues from corporate leaders, security teams can meet them halfway by communicating clearly around security and showcases benefits for the entire company by having these essential teams aligned.
