Tackling difficult conversations on cyber security
With cybersecurity threats growing in both volume and complexity, European IT security professionals are under pressure to ensure that the potential impact on their organisations can be minimised.
An independent study commissioned by Palo Alto Networks reveals a profession that is more determined and confident than ever to prevent these attacks. The real tension in managers’ working lives is around difficult conversations they must have with senior management regarding the fallout from cyber breaches.
It’s perhaps surprising to realise how uncomfortable IT security professionals feel when facing the board about cybersecurity breaches – with our research showing that these managers lack confidence in their relationships with the senior management team. Half our security professionals find it difficult to highlight security weaknesses and a third of respondents feel that involving senior management just makes matters worse.
Interestingly, the third most common reason for not ‘reporting’ an incident was that the person causing it was actually part of the senior management team – a factor no doubt fuelling this reticence to ‘talk’. EU legislation plays its part too, with almost half of security professionals expecting upcoming legislative requirements around cybersecurity and data protection (coming into effect in May 2018) to lead to awkward conversations with senior management.
Creating an open dialogue
It seems that cybersecurity leaders often regard a breach as a personal failing, which can make it hard for them to share with senior management. Many believe they could have done more to prevent the breach (only 42% of those who notified senior leaders during a breach believed they had done everything they could to prevent it), whilst only one third believe their senior management are open to new ideas on tackling cybersecurity – another deterrent to effective communication.
From talking to companies across EMEA, it’s apparent a great deal of time is spent determining how IT security professionals, and the rest of the senior management team, can get closer on cybersecurity issues that are so fundamentally strategic. Technology can help simplify the processes involved, preventing and automating effective responses to incidents. But it’s clear that there needs to be more open dialogue within the senior management team to execute and continuously improve on cyberattack prevention strategies.
Only one third believe their senior management are open to new ideas on tackling cybersecurity
So, how do we bridge the communication gap between IT security professionals and senior management?
Finding a Common Language
Many senior business leaders struggle to comprehend cyber risk. The best guidance here is to make it visceral and relevant by defining some clear business metrics for cybersecurity.
Senior management should get involved in readiness exercises to test cybersecurity processes, so they feel engaged with the issues and risks. Security professionals need to help educate their board about cyberthreats, but in a context that business leaders can understand. Boards are concerned with the commercial impact of risk, whereas cybersecurity leaders are more focused on the dynamic speed of change in the cyber world.
Security professionals need to help educate their board about cyberthreats, but in a context that business leaders can understand.
To improve communication, business leaders need information condensed into regular, digestible updates – providing real-world insight.
It’s natural to worry about resistance encountered during a difficult conversation, but undertaking some thoughtful preparation can significantly increase the chances of a positive outcome.
Define a clear objective for the conversation, one that you have control over, e.g. to explain succinctly what has happened and proposed actions, whilst keeping a level voice tone and maintaining powerful body language.
Communicate the implications of the cybersecurity breach from your side, as your boss many have no expectations – enabling you to control the flow of information given. Anticipate their questions and consider responses. Preparing these will mean you come across as confident, calm and considered.
Personal pitfalls are another important area to consider. So, if, for example, you have a tendency to interrupt or talk over people, it’s worth remembering to keep this in check during the conversation.
Manage that Emotion
There’s a wealth of research to indicate that we communicate an enormous amount of information unconsciously. The other party picks up many cues from our body language and tone of voice about how they should interpret our message, and how they should treat us.
A powerful and authoritative posture to adopt during the meeting is to sit well back in your chair, with legs crossed. Another tactic is to adopt a powerful posture in private for 30-60 seconds before a meeting, as a way of helping you to send out a different ‘vibe’. This has been shown to increase senior management’s rating of people’s ability. Getting a grip on this aspect of the interaction can make a world of difference to how the conversation progresses.
In a situation where a cybersecurity breach has to be reported, it’s important to leave our need for emotional validation outside the room – for example, wanting to be reassured that this won’t have a negative impact on our career. Avoid bringing emotional needs to a hard-headed conversation with senior management about solutions and preventative measures.
Security managers should feel confident that they have all the skills necessary to manage an awkward conversation with senior management about cybersecurity. CISOs and senior leaders will be ready to manage cybersecurity risk and prevent breaches together if proper communication strategies are in place.
Greg Day is VP and Chief Security Officer, EMEA at Palo Alto Networks. Responsible for strategy, threat intelligence, best practices and thought leadership in EMEA.
With 35 years' experience he has helped organizations globally with risk and cyberstrategies. He began his career with Dr. Solomon's, later part of McAfee (now Intel Security...