Two new pieces of EU legislation coming into effect in May 2018 and focused on data protection and preventing cyber incidents impacting essential services, set the expectations that businesses should have the relevant state of the art cybersecurity capabilities as society becomes more digitally dependent.
Businesses need to come together to take action in relation to these requirements. However, research commissioned by Palo Alto Networks revealed that half of IT security professionals find it difficult to highlight security system weaknesses for senior management, while the rest find it more difficult to admit a breach has occurred.
So how do we overcome this?
Do the Translations
Boards typically look at risk in terms of its commercial implications and how to balance the investment in capabilities to manage it, rather than the technical requirements to resolve it. To communicate this more clearly, IT security professionals must provide much more regular, digestible updates that provide business leaders with grounded, real-world insight. What’s essential, but all too often absent, is the commercial view – “what would this mean to my business?” – it’s all too easy to get caught up in technical jargon.
Be clear on how to qualify value back to the business
Business leaders can seem resistant to new ideas. All too often this can be due to an inability to qualify the business value that such ideas would bring, especially if they could not assess the commercial risk to start with. There are many cybersecurity frameworks with ways to measure cybersecurity, but many are lagging indicators, so it can seem that, no matter what we do, things still happen. Seek out the leading metrics that show your preparedness to both identify and respond to risks, as well as to act when the unexpected does happen.
Be transparent if there are security gaps
Less than half of cybersecurity leaders surveyed believed that they had done everything they could have done to prevent an incident. Many say this was down to not getting the requirements they needed or that they could have done more with hindsight. Yet the challenge is that if they cannot live up to their own expectations, IT security managers cannot expect others to believe in their commitments. There shouldn’t be an acceptance that because this is how security is done today that it is also how it should be done in the future. IT security managers must become their own biggest critics, looking for pragmatic ways in which to ensure they achieve the right balance relevant to the organisation’s level of acceptable risk.
Agree on the balance of investment vs. risk
Because of the fluid nature of IT and changes in cyber risk, yesterday’s good security can be tomorrow’s poor security. IT security managers and business leaders must agree what is acceptable – the line of risk that the business is not willing to cross, but recognise that this is a dynamic. The new EU legislation – GDPR and The NIS Directive – encourages relevant cybersecurity capabilities leveraging current state of the art practices. Core to this is the balance between response and detection and protection.
Change is good
Organisations are constantly looking for new and innovative ways to go to market, yet in the dynamic cybersecurity space, IT security managers strive for conformity and apply the same best practices and principles. The upcoming EU legislation is a welcome and rare opportunity to shake up what may be outdated cybersecurity concepts and beliefs. In a cyber world that is so dynamic, this is as close to a reset and break with conformity as we are likely to see for some time.
So how can IT security managers learn a new skill in breaching difficult topics with their bosses?
Define a clear objective for the conversation. Your objective should be something that you have control over, e.g. ‘to explain succinctly what has happened and proposed actions. To keep a level voice tone, and maintain powerful body language’, rather than ‘to ensure that they treat me with respect’. Communicate the implications of the cybersecurity breach from your side. Remember your boss may have no expectations – this enables you to control the flow of information you give to them. Anticipate their questions and think of responses. Preparing these will mean you come across as confident, calm and considered.
Do the Wonder Woman
Assume a ‘power pose’. Adopting a powerful posture in private before a meeting can increase the other party’s rating of our ability. This seems to work by making us feel more powerful, and we then give off a stronger vibe, even when the other side is not aware of the pose we adopted beforehand. One power pose that works is the “The Wonder Woman”: stand tall with your chest out, your hands on your hips and your legs slightly apart. Do this for 30-60 seconds before the meeting. However, avoid the ‘adapted child’ position of sitting like a school child expecting to be told off; sitting forward on the edge of your seat, with your feet and knees together, hands folded in your lap and head slightly bowed. It’s easy to fall into this trap if you’re feeling vulnerable. A more powerful and authoritative posture is to sit well back in your chair, with your legs crossed.
Manage that Emotion
Don’t look to get your emotional needs met. If we are feeling anxious or guilty it is natural for us to hope that the other person will tell us ‘it’s alright, you’re not in trouble’. This can be particularly acute if we are worried about potential damage to our reputation and career. However, in a situation where we are reporting a cybersecurity breach, we need to leave our need for emotional validation outside the room. Go for a drink with a friend, talk to trusted colleagues, but don’t bring emotional needs into this kind of meeting with a senior manager. This meeting needs to be a hard-headed conversation about solutions and preventative measures. Be prepared for their emotional reaction. Once you have explained the situation, give some space to your manager to ask questions or let off steam. Don’t interrupt and definitely don’t say “calm down”!
Greg Day is chief security officer, Palo Alto Networks, and Peter English is the author of ‘Tackling Difficult Conversations’