The art of talking cybersecurity with top management

CISOs must initiate dialogue with their management

While CISOs need to be good ‘cybersecurity experts’, they also need to be able to get out of their offices and engage in discussions with senior management, even if this very often means moving forward at a snail’s pace.

Why talk to top management about cyber security?

Let’s put it this way: without the support and trust of management, a CISO can’t work, or at least can’t do much!

Even if the situation is changing, managers are still struggling to understand the challenges of cybersecurity and what it involves. The CLUSIF MIPS study cited above contains two revealing statistics on this point:

• 56% of the budgets allocated to information security are completely called into question every year, with only 8% of budgets remaining unchanged.
• 40% of the budgets allocated to security concern the implementation of solutions within the company, which illustrates the fact that top management perceives cybersecurity mainly as tooling.

To carry out their mission successfully and secure the necessary budgets, CISOs have no choice: they have to alert without provoking, educate without irritating, propose without demanding… in short, win over the decision-makers!

It’s an ambition that requires patience and consistency, and often begins with observation and investigation.

Many CISOs are, in fact, a long way from the decision-making bodies. However, if they want to be listened to (and heard), they can be proactive, whether it’s a one-off initiative or day-to-day action to be taken over the long term. Here are a few examples.

• Asking for meetings: senior managers are short of time, but are still willing to meet at key moments (for example, a few months after taking up the position of CISO, or once or twice a year to discuss strategic issues). It’s up to CISOs to take their chances and ask for a meeting when they feel it’s appropriate!
• Field research and links created with other contacts: CISOs who find it difficult to access senior management have every interest in observing their environment and mapping it. Who does what? Who knows whom? Who has influence? By forging links with the right people, you can build your way slowly but surely up to the top!
• Questionnaires: Sending out a questionnaire before a presentation is a good way for the CISO to find out what management is particularly interested in, as well as their level of maturity. It’s also a way of finding out more about the profile of the executives: their ‘hobbies’, their preferences in terms of presentation, their character traits… all elements that will enable the CISO to adapt to expectations and gain points.

Whatever the means used, CISOs have everything to gain from ‘fishing for information’, by taking an interest in both the business specifics and the psychological profile of senior executives. Gathering this information is an essential step in building an effective and engaging message.

How do you get management involved in cyber security?

Managers are not like other people. They are short of time, have heavy responsibilities and above all are looking for help in making decisions. This means that CISOs have to position themselves as facilitators, adapting their approach and presentations accordingly.

Managers don’t want to know or understand everything. In fact, they are only interested in the elements that help them make informed decisions. For this reason, the CISO should only communicate essential information.

As CIGREF rightly reminds us in its October 2018 publication ‘Visualise, understand, decide’, the dashboard presented to the COMEX and the board of directors must above all be adapted to the characteristics of the entity concerned, with a simple principle: ‘to enable management to make the right decisions to cover cyber risk’. While the report proposes a detailed framework for the information to be provided, the following are the elements that should be given priority for communication:

• Existing threats: what they are (chairman scams, phishing, negligence on the part of employees, etc.), why they are likely to cause significant damage to the business and why they are of particular concern to the company.
• The practical risks posed by these threats to the business
• The level of investment required to cover these risks
• The latest incidents suffered by the company (what was involved, how did the teams react, all using an educational approach)

What about indicators? There’s no need to present dozens of them, the ideal being to select those that will help management identify the degree of exposure to risk and assess the relevance of the proposed measures.

Top management are not specialists in cyber security, and it is not uncommon to find wide disparities in their knowledge and understanding of the subject.

Here again, the CISO needs to adapt! There’s no point talking about technical details that won’t ‘speak’ to a manager. It’s best to venture into its own territory, building a discourse around concepts such as the company’s long-term viability, business continuity, RD protection and brand image.

Finally, and even if it is preferable to leave technical speeches in the cupboard, every CISO has a role to play as a trainer, by regularly making the effort to explain the meaning of the terms they use, or by using analogies to promote understanding.

In this respect, the white paper ‘Cybersecurity for Managers’, co-published by OSSIR and CLUSIF, is an interesting source of inspiration. In it, CISOs will find ideas for angles to make their discourse more concrete (the risks associated with email, mobile phones, surfing the web, etc.), as well as a glossary of simple, understandable definitions.

There’s only one thing to do: link the cybersecurity discourse as closely as possible to concrete elements, in other words facts and figures! The CISO must ‘project’ management into a plausible scenario, in which he presents :

• the events that could occur in the event of an incident (the impossibility of using the 612 workstations for at least 48 hours, the closure of a plant for 5 days, etc.).
• the foreseeable consequences, such as loss of sales, disputes with customers, damage to the brand’s image, etc.
• the severity of the consequences (low, medium, high)
• the budget needed to limit the risk as much as possible

The CISO may even go so far as to use a form of storytelling, citing the example of a company that has had to deal with the situation described (preferably choosing an example with which management can identify, either because the organisation is local or in a similar sector of activity). Top management will be thrilled, and more likely to follow the CISO’s recommendations!

It’s not uncommon for senior executives to attend one meeting after another, and end up bored by the succession of presentations. To ‘wake up’ and make an impression, CISOs need to innovate, with dynamic and effective presentations.

To achieve this, there’s nothing like clear, concise dashboards with visual representations to illustrate what you’re saying.

In addition, there are many presentation techniques that can be used. To give just one example, every CISO should try at least once to poll his audience before presenting the state of security, with a simple question like ‘Do you think the company is adequately protected?

It’s an effective way of capturing attention, of surprising people, but also of raising awareness if there’s a discrepancy between the answers given and reality.