Translating cyber security threats into business risks
Aside from the relentless barrage of cyber security attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with understanding that cyber security risks translate into business risks.
How to Communicate Cyber Security Risks to the Business
There is great potential for things to get lost in translation when cyber security threats and remedies for protecting the organisation are communicated to non-security professionals. The IT security department might jump to “red alert” as a result of a user opening a malware-bearing email attachment, where other people in the business won’t make the connection between opening the attachment and the level of cyber security risk involved. As our own research shows, for many businesses the cyber security threat landscape is getting worse.
You can download the Research Paper below:
Well-publicised breaches at Target, Ashley Madison, The US Federal Office of Personnel Management (OPM) and TalkTalk show that it is much easier to raise awareness if you define cyber security risks in everyday terms. A £10 million fine, a tarnished reputation or lost customers is far more impactful to business leaders and frontline staff than general references to “non-compliance” or data leaks.
The magnitude of the impact of these breaches is catapulting cyber security right up the business risk register, but there is still work to do. Ponemon research found that board members are increasingly aware of cyber security, but lack an understanding of the issues, which must limit their ability to evaluate situations and respond appropriately. The US NACD found that directors are dissatisfied with the information and clarity of cyber risk information they are given. This must be rectified before cyber-threats can be tackled effectively.
Tailor the relevance of cyber security threats to the audience
One challenge in bridging the communication gap is that cyber security threats mean different things to different people and invariably impact different elements of the business. The implications of specific cyber security risks or non-compliance can be unclear to senior managers for whom business objectives, deliverables and the bottom-line are more pressing. If the link between a threat and its ramifications are not clear or not evident, then the risks to the wider business can be obscure.
To change this, security professionals must translate cyber security into business risks language; presenting each part of the business with understandable and relevant information. This means stating not what the threat is, but providing intelligent metrics for cyber security. These metrics should clearly show what assets or information are at risk, how business activities and reputation could be impacted, the likelihood of the events and the consequences if the worst does happen.
Impacts must be tuned to the specific mandate of the individuals – a CFO will be more concerned with financial impacts (like the new fine regime under GDPR) than a CEO who would focus on reputational and strategic impacts.
For example, if you tell a Sales Manager that the organisation needs to invest to rectify some non-compliances with PCI-DSS standards, they are likely to view it as a technical issue to be delegated and resolved. If, however, you explain that the business could end up unable to accept credit card payments until the problems are rectified, there is a better chance of gaining business traction. Similarly, ransomware may not initially concern the business and its executives any more than any other form of malware or data loss – unless it is made clear that this risk is worsened by previous lack of investment in comprehensive data backups, patching that is hampered by a constant demand for uptime and resilience.
All staff members can help manage cyber security risks
Aside from dealing with the difficulty of translating between technical and business issues, there is a need for greater collaboration in the security and compliance processes. There are more useful ways to approach compliance than seeing it as an annual tick-box activity. It must become a continuous, real-time process; with inbuilt quality improvement. Businesses need intelligent metrics for cyber-risk that show live, up-to-date security and compliance status of key systems and processes. This enables instant identification of problems and allows them to be dealt with before they become serious. Becoming fluent in risk means information is presented in a common and meaningful language across the business, so its importance is clear to everyone.
Cyber Security is a critical issue
Ultimately, cyber security is not just an IT concern. It is a business-critical issue with ramifications for everyone. The only way to tackle threats effectively is to turn everyone into a business cyber security risk sentinel, so they understand risks relevant to their own role or part of the business. This means continuous security and compliance monitoring and familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through “testing and adjusting” of policy and compliance controls.
This collaborative approach will decrease the risk that a business will be hit by a damaging breach or a costly fine; but it also reduces the risk of cyber security threats the business has to face being lost in translation.
You should not have to wait for others to tell you that you are under attack. Instead, use Protective Monitoring to protect against attacks. Check out our infographic to support you in your work: