Tackling difficult conversations on cyber security

Greg Day
VP & Chief Security Officer, EMEA
Palo Alto Networks
Share this content
Tags

With cybersecurity threats growing in both volume and complexity, European IT security professionals are under pressure to ensure that the potential impact on their organisations can be minimised.

An independent study commissioned by Palo Alto Networks reveals a profession that is more determined and confident than ever to prevent these attacks. The real tension in managers’ working lives is around difficult conversations they must have with senior management regarding the fallout from cyber breaches.  

It’s perhaps surprising to realise how uncomfortable IT security professionals feel when facing the board about cybersecurity breaches – with our research showing that these managers lack confidence in their relationships with the senior management team. Half our security professionals find it difficult to highlight security weaknesses and a third of respondents feel that involving senior management just makes matters worse.

Interestingly, the third most common reason for not ‘reporting’ an incident was that the person causing it was actually part of the senior management team – a factor no doubt fuelling this reticence to ‘talk’. EU legislation plays its part too, with almost half of security professionals expecting upcoming legislative requirements around cybersecurity and data protection (coming into effect in May 2018) to lead to awkward conversations with senior management. 

Creating an open dialogue

It seems that cybersecurity leaders often regard a breach as a personal failing, which can make it hard for them to share with senior management. Many believe they could have done more to prevent the breach (only 42% of those who notified senior leaders during a breach believed they had done everything they could to prevent it), whilst only one third believe their senior management are open to new ideas on tackling cybersecurity – another deterrent to effective communication.

From talking to companies across EMEA, it’s apparent a great deal of time is spent determining how IT security professionals, and the rest of the senior management team, can get closer on cybersecurity issues that are so fundamentally strategic. Technology can help simplify the processes involved, preventing and automating effective responses to incidents. But it’s clear that there needs to be more open dialogue within the senior management team to execute and continuously improve on cyberattack prevention strategies.

Only one third believe their senior management are open to new ideas on tackling cybersecurity

So, how do we bridge the communication gap between IT security professionals and senior management?

Finding a Common Language

Many senior business leaders struggle to comprehend cyber risk. The best guidance here is to make it visceral and relevant by defining some clear business metrics for cybersecurity.

Senior management should get involved in readiness exercises to test cybersecurity processes, so they feel engaged with the issues and risks. Security professionals need to help educate their board about cyberthreats, but in a context that business leaders can understand. Boards are concerned with the commercial impact of risk, whereas cybersecurity leaders are more focused on the dynamic speed of change in the cyber world.

Security professionals need to help educate their board about cyberthreats, but in a context that business leaders can understand.

To improve communication, business leaders need information condensed into regular, digestible updates – providing real-world insight.

Prepare Thoroughly

It’s natural to worry about resistance encountered during a difficult conversation, but undertaking some thoughtful preparation can significantly increase the chances of a positive outcome.

Define a clear objective for the conversation, one that you have control over, e.g. to explain succinctly what has happened and proposed actions, whilst keeping a level voice tone and maintaining powerful body language.

Communicate the implications of the cybersecurity breach from your side, as your boss many have no expectations – enabling you to control the flow of information given. Anticipate their questions and consider responses. Preparing these will mean you come across as confident, calm and considered.

Personal pitfalls are another important area to consider. So, if, for example, you have a tendency to interrupt or talk over people, it’s worth remembering to keep this in check during the conversation.

Manage that Emotion

There’s a wealth of research to indicate that we communicate an enormous amount of information unconsciously. The other party picks up many cues from our body language and tone of voice about how they should interpret our message, and how they should treat us.  

A powerful and authoritative posture to adopt during the meeting is to sit well back in your chair, with legs crossed. Another tactic is to adopt a powerful posture in private for 30-60 seconds before a meeting, as a way of helping you to send out a different ‘vibe’. This has been shown to increase senior management’s rating of people’s ability. Getting a grip on this aspect of the interaction can make a world of difference to how the conversation progresses.

In a situation where a cybersecurity breach has to be reported, it’s important to leave our need for emotional validation outside the room – for example, wanting to be reassured that this won’t have a negative impact on our career. Avoid bringing emotional needs to a hard-headed conversation with senior management about solutions and preventative measures.

Security managers should feel confident that they have all the skills necessary to manage an awkward conversation with senior management about cybersecurity. CISOs and senior leaders will be ready to manage cybersecurity risk and prevent breaches together if proper communication strategies are in place.

Replies

Please login or register to join the discussion.

26th Feb 2017 16:49

It's so interesting to read about the tricky relationship between SMT and Cyber Security professionals. Coming from an IT background myself, I know that discussing data breaches and damage calculation can be some of the most awkward conversations to have but it's something that needs to be done without ego. We should be willing to put our personal wants and desires to the side for the benefit of the company as a whole.

Thanks (0)