Most articles with this title usually follow a similar format; they identify that security is a business-level problem, talk about the difficulties of communicating risk and threat and, in most cases, the lack of funding to deliver an appropriate cyber security programme. All of those things are in almost all cases true. Those articles are almost solely written from the perspective of the Cyber Security team, yet are missing half the story.
If we are honest, Cyber Security is often the difficult child of the IT environment. Investment requests, threats and risk almost always increase and reliance of digital technology definitely increases; if you’re unfortunate that year, all of that hard work fails anyway. Yet boards are informed they need to continue investing in the next whizbang solution, be scared of the latest attack vector, or face the rath of a nation state threat actor. What about if we imagine we are no longer IT professionals but have transitioned into the role of a member of the leadership team?
From this perspective I am being informed that I need to continue spending money on an area of my business that isn’t seemingly improving, in an environment that is only getting worse, where I could potentially spend unlimited sums of money and still fail. If this was Dragons Den it would be a “no from me”. Does this mean Cyber Security is an area that shouldn’t be invested in? Clearly not, but we have to change the way we talk about Cyber Security.
Fear, uncertainty and doubt (FUD) are powerful mechanisms to motivate change in peoples behaviours and investments (be that time or money). These overused mechanisms however are only effective in the short term; the recipients, in this case our C-Suite, will build up a tolerance to this type of communication which in turn reduces their sensitivity to these messages. This is a reinforcing system where you have to escalate the realistic threat far beyond what most organisations are realistically expecting. And so this where the trust breaks down; when communication fails investment slows, focus shifts and improvement stops.
How can we change the way we talk about cyber security?
We need to consider how we are personally motivated and how this impacts the way we communicate. A model for motivation that was shared and has stuck with me is ‘towards vs away from thinking’ . I won’t go into detail here but in summary ‘towards thinking’ is heading to something you want and ‘away from thinking’ is from something you want to avoid. Cyber Security is full of examples of away from thinking and from my experience is the more common motivation type of those in our industry. This means that when we are communicating we are missing an opportunity to balance our approach.
So what would a more balanced communication look like and how might this change the way the C-Suite respond?
what did you and your team do well last year? How did you improve and what impact did that have to make you a more secure business? Helping the C-Suite see the impacts of their investments helps to contextualise the requests for funding. Where can you tie these back to how these supported business goals, such are enabling flexible working or delivering new lines of business or locations? Security is an enabler, let’s not miss the opportunity to clearly link that for our non-technical colleagues.
provide a longer term view of where you see the Cyber Security environment developing in line with the goals of the business. This roadmap for investment both in technology, but more importantly people and processes, removes the uncertainty of the investment required. Don’t expect to have a totally accurate view of cost for longer-term items, a reasonable estimate helps frame investment not only for this year but the next 3-5 years. Year over year budget increases may be acceptable but should be tied to the performance of the organisation. In this case, you should expect to face greater scrutiny, and linking the increasing investment to the businesses goals will help demonstrate why this has changed and why it is important.
highlight opportunities to consolidate or expand the usage of previous years investment. Clearly communicating how you and your team are better managing your existing tools and maximising previous investment helps to reduce the fatigue of every roadmap item being just another capital investment request. Cyber Security is as much about hardening, optimising and monitoring as it is about deploying new technology. Communicating these activities round out the communication and demonstrate the capital investments for new technology are considered and required.
demonstrating how you perform against your peers will help you paint a realistic picture of the Cyber Security maturity in your market segment. Most if not all organisations still have improvements to make; clearly showing where you perform against a segment demonstrates that. Allowing the C-Suite to see this is a continual process that will shift and shape to support the evolving needs and goals of the business. It will ensure you don’t fall into the trap of Cyber Security improvement being one-time project, but a continual part of well-maintained business.
I think its time we change the way we speak about cyber security.