Unfortunately, cybersecurity has been making homepage headlines recently. Between the recent Hacking Team fiasco (have you seen the WikiLeaks data yet?), the federal OPM breach uncovered just a few weeks ago, or the hack of JP Morgan in the summer of 2014 – cybersecurity is no longer a technological oddity.
Still, not everyone follows news headlines or security incidents as diligently as you might think. In fact, it's safe to assume that some (if not the majority) of fortune 500 boards regard cybersecurity as just another checkbox to be ticked off by the CIO or CISO at best. Of course, when a technically savvy executive brings up cybersecurity, most board members' eyes tend to glaze over.
So how do you talk to business leaders about cybersecurity before they tune out? Here's a list some of our customers have used to get the board's undivided attention on cybersecurity:
1. Talk Business, Not Technology
It's easy to get carried away with in-depth cyber attack scenarios and ominous new techniques. For lots of folks, these doomsday prophecies seem to be lifted from a Mr. Robot episode rather than a new business reality. It's hard to see their relevance to the boardroom. For the time being, it's the CISO's job to present cyber risk in business terms. The board needs numbers.
Imagine your CEO or CFO asking "If we don't invest in x, what's our bottom line exposure?"
If you can't put a defensible dollar figure on the risk, the board will dismiss your case faster than a hacker could guess Hacking Team's passwords. That's really fast. Quantify the risk, explain what it would cost to contain it once it materializes, and how much you could save by being prepared.
2. Cybersecurity Can be a Personal Career-Ending Threat
Obviously, nobody wants to see the company they work for go under. But a career-ending blunder has far more dramatic implications to every board member's life. In recent past, we’ve seen how senior leadership is held accountable for mismanagement of cybersecurity. Sony's co-chairman Amy Pascal, as well as Target's former CEO and CIO had no choice but to resign immediately after news of the security breaches made headlines.
3. Present the Cybersecurity Severity Scale
While some incidents have devastating potential, they do represent the extreme if not rare cases. Labeling an incident's severity helps to put events into perspective, and also serves to illustrate the potential of severe cybersecurity negligence. Recent news of the OPM hack is indeed concerning at the highest political levels, but has not triggered a nation-wide crisis (yet). It's a good example of Serious severity. Last year's JP Morgan breach, while allegedly going unnoticed for months, had very limited impact on the company's bottom line. According to JP Morgan spokeswoman Patricia Wexler, the attackers "accessed customer contact information, but no account information". Assuming that is an accurate depiction, you could label the JP Morgan breach as Light on the cybersecurity severity scale (as far as we know at the time of this writing). At the extreme end of the spectrum, the case of Code Spaces is especially concerning. Following an attempt to recover from cyber extortion, the company's entire systems were essentially wiped. The resources required to recover did not justify the cost, which led to the company's collapse. That's as Devastating as it gets, but is unfortunately just a statistic representing 60% of small businesses that close within six months of a cyber attack.
At the end of the day, board members are people too. The story of cybersecurity, especially when presented by a technology-driven professional, must be delivered from an emotional perspective backed with hard data business leaders can digest. Technology is often perceived as a cool toy at best. Loss of business, job security, and even prestige are universal in boardroom conversations.