New legislative requirements in terms of IT security are now an integral part of corporate governance aspects. As a result, the theme of cybersecurity is no longer the sole preserve of the CISO but is of interest, questions and must be understandable to the COMEX and CODIR of organizations.
This new challenge requires C-levels to get involved and understand issues for which they do not always have the appropriate IT culture, in a field which is most often reserved for an audience of experts. At the same time, CISOs must adapt their communication to meet the understanding needs of their management.
In this context, several questions arise.
- How, as a CISO, can you effectively report IT security issues to management?
- What are the expectations of C-levels?
- How to translate technical issues into tangible objectives for the company?
Explanations.
Management increasingly aware of cybersecurity issues
Corporate executives are becoming increasingly vigilant about the importance of cybersecurity, as indicated in the ESG study for Trend Micro.
But if 82% of them recognize a worsening of cyber threats, cybersecurity still seems too often confined to IT teams: according to 62% of respondents, this mainly falls under the DSI (Information Systems Department).
Good news: the study, however, shows a real awareness among decision-makers, since 85% of respondents observe a growing interest from boards of directors in this topic.
Bad news: this emerging interest is very (too) often reactionary, occurring after major incidents…
Cybersecurity remains a complex subject for leaders
Despite this awareness of risk, business leaders struggle to understand cybersecurity issues. A trend particularly observed in SMEs and mid-sized companies, where resources are most often limited.
According to Bpifrance and Cybermalveillance.gouv.fr, this reluctance arises from several factors. First, understanding cyber risks is most often done superficially – which leads to an underestimation of the issues and excessive delegation to the IT team.
To make matters worse, investment in cybersecurity products and solutions is often perceived as prohibitive, even though the financial consequences of an attack can be catastrophic. Remember that according to an Orange Cyberdéfense study, 60% of companies victims of a cyberattack file for bankruptcy within 6 months! It is therefore urgent to make cybersecurity understandable to everyone.
HOW TO TALK CYBER to your management?
The role of the CISO is no longer just to be a technical referent. It must evolve towards a more strategic and communication function, which involves linking IT security issues to governance objectives and the company’s business vision.
Speak business rather than technical to your interlocutors
The primary goal of your speech to management? Make them aware of the situation. This will involve highlighting:
- cybersecurity issues;
- the consequences of risks (damage to reputation, unavailability of business processes, financial sanctions, etc.);
- how these relate to the company’s objectives.
As Baptiste David, Head Of Market Strategy at Tenacy, explains, organizational management is interested in the commercial and budgetary repercussions of IT security risks, rather than the technical aspects and underlying organizational constraints: “
The CISO must avoid technical language and speak business to business leaders. This involves explaining why certain situations are problematic as well as their potential impact within the organization.
».
It is therefore important to popularize the terms you use in order to best facilitate exchanges with management. On this point, you can rely on the white paper co-written by OSSIR and CLUSIF: Cybersecurity for managers, which gives many practical tips to make your speech accessible, all accompanied by a glossary offering simple definitions like DNS, BYOD, MFA, or even Phishing.
Base your speech on facts and figures
To ensure effective communication, do not hesitate to project management into a scenario. Highlight the consequences of a successful cyberattack on the company, for example the impossibility of using the entire company’s workstations for 72 hours, or the financial losses on turnover.
Alongside this scenario, add a retrospective of significant cybersecurity events in the company. These facts may include:
- internal security events;
- the results of a recent audit;
- the introduction of new regulations having an impact on corporate governance…
The idea here is to move from fiction to reality.
You can also monitor security incidents occurring in companies similar to yours (preferably French) to facilitate identification.
The goal is to keep management informed, without overloading them with unnecessary details. It’s about enabling them to ask questions and understand cybersecurity trends that could affect their environment.
Don’t multiply the reports
Too much data kills data: to remain intelligible, don’t produce too many reports!
Keep in mind that each report should provide value to management – in other words, provide them with information that informs strategic decisions and highlights progress or identifies new challenges.
As Baptiste David points out: “An annual report proves insufficient to monitor the rapid evolution of cybersecurity issues, while a weekly frequency risks saturating management with redundant information.”
For example, as part of an ISO 27001 certification project which may extend over six months, the most appropriate format would be a quarterly report to demonstrate progress and make the right decisions. And for more urgent matters or major incidents, ad hoc reports can be presented without waiting for the next deadline.
Use Tenacy to support your analytics
To facilitate the work of CISOs, the Tenacy platform offers detailed and contextualized analysis, allowing a precise and real-time assessment of the company’s IT security posture. Advanced data visualization features transform technical information into meaningful charts and tables, strengthening your communication with decision-makers.
You can therefore manage the company’s cybersecurity, detect irregularities, and create reports that are understandable to everyone. The trifecta, in short!