In the decades since Sigmund Freud called talk therapy the “talking cure,” analysts' couches have been filled with patients pouring their hearts out as they strive to find answers, right their lives and experience breakthroughs that will keep them from repeating past mistakes.
Turns out, as the banking DDoS attacks of 2012-2013 proved, Freud's favored technique is good therapy for organizations trying to ward off cyber attacks and strengthen their security postures as well.
An unanticipated feature of the financial services DDoS attacks was their effectiveness in bringing together victims, forging a never-before-seen level of communication among corporate victims, with government, within the organizations and extending out even to customers. The attacks taught different lessons about communication to those different factions.
Stephen Fried was CISO of the People's United Bank during the 2012-2013 attacks, and since then has lectured about security responses to major disruptive events. “I always tell audiences that to be an effective communicator you have to speak the language of the person on the other side of the communication,” he explains. “That means that if you're trying to convey risk information to the C-suite, you need to frame that risk in the context of the things they're worried about.”
Executives are concerned above all with issues like impact on revenue, customer loyalty and retention, legal and regulatory compliance and profitable growth. If you can make them understand the basic connection between information security and those fundamental concerns, they will pay close attention to what you have to say. However, Fried notes, “If you start the conversation by talking about lowering risk by feeding your NIDS logs into your SIEM system, you've lost them at ‘hello.'”