A few years back, a business association asked me to deliver a cybersecurity presentation. I knew some in attendance would report back to their respective board of directors, and I expected it to be a challenging session because cybersecurity knowledge and literacy would be all over the map.
It’s a situation I’ve encountered regularly. I remember in one session with about 40 people, I asked what they thought “cybersecurity” meant. Somehow, I think I got 45 different answers. Even within an organization’s board of directors, people who absolutely need to be part of the cybersecurity conversation today, you’d likely get the same variance in responses.
But I welcomed the session because it gave me an opportunity to pilot a new presentation tactic. The presentation focused more on business in general and business development as opposed to cybersecurity, and the presentation style was so outside-the-box, I was actually nervous.
To Engage the Board, Talk Business, Not Cybersecurity
Going in, I knew some of the attendees expected to hear some cybersecurity techno-babble. I did none of that. Instead, I used the simplest possible language and cartoons to disarm these senior leaders for one reason: I wanted them to feel comfortable and able to talk freely about that bogeyman topic, cybersecurity.
By focusing on business and risk instead of cybersecurity, everybody in the room was fully tuned in. Cybersecurity was just color.
You see, by avoiding the technical nature of cybersecurity, the participants made the mental jump from “cybersecurity as an IT issue” to “cybersecurity as a business and risk issue.” They saw how cybersecurity issues could impact and influence their business development plans or pose growth problems. I remember one participant emphatically saying to the group, “You just made me understand this cybersecurity thing isn’t my IT department’s problem … it’s my problem!”
And just like that, you have a new teammate.
CSOs Are From Mars, CISOs Are From Venus and the Board of Directors Are From Andromeda
There has been a great deal of discussion on whether you should have a chief information officer (CIO), chief security officer (CSO) or chief information security officer (CISO), who should do what, what reporting chains should look like, and the need for this type of specialist. The good news is that there is increased interaction between these security leaders and CEOs and the board of directors. It’s a step in the right direction.
But interaction is not enough; it’s speaking the same language that matters. To do that, you actually need to know what you’re in the business of. No two organizations are alike.
As a general observation, I’ve found that security professionals sometimes have difficulty understanding what drives business in their organization. Reading financial statements and appreciating the importance of cash flow may not be a core competency of security teams, but in practice, they should be.
The same can be said for understanding supply chains, knowing who the key customers and vendors are, and determining which costs can really impact the organization’s ability to generate revenue or meet its business mission. These are all issues that senior leaders and the board of directors care about.
Now, these same issues do not necessarily fall within a security professional’s area of responsibility, but the ability to demonstrate business acumen gives the security professional incredible influence with these other players. Therefore, if security employees can demonstrate that they have more than a one-track mind, they may suddenly find more allies within the organization.
Your Job Is to Keep the Business Going
To keep the business going, you need to know how it works. That’s why asking the right business operations questions will make all the difference. You shouldn’t be asking your colleagues, “How long can you go without a computer?” (The answer almost certainly will be, “I can’t.”) Instead, you should be asking, “You don’t have a computer for 72 hours, how do we keep the business going?” Or, “If we lose network capability for 48 hours, how do we survive the downtime?” You get the idea. Note the emphasis on teamwork.
Ask the right questions the right way and you’ll be better prepared to:
Meet the day-to-day needs of the organization; and
Understand the primary drivers of the business.
To Improve Your Cybersecurity Posture, You Need to Understand the Business
Most successful business leaders understand that rocky times are part of the normal business cycle. The best even expect rocky times, especially during business development phases. That’s not what worries them.
What worries them is if the organization has the ability and resources to weather the storm. For this reason alone, IT and security professionals need to be able to talk business to the C-suite and the board of directors, especially if new security products need to be added into the organization’s portfolio.
Make Life Easy for Your Board of Directors
With increased pressure on the board of directors to play a more active role in cyber risk governance, it is incumbent on internal cybersecurity professionals to learn what makes the organization tick by talking return on investment, cost, growth metrics, cash flow, business development, resource management and so on. If you can speak the language of business, you are better positioned to demonstrate the value of cybersecurity investments to senior leaders. You’re making their life easier, which in turn makes your life easier.
So whether it’s a few online business basics and governance courses or talking with your nonsecurity colleagues about what drives the business, it’s a worthwhile investment in the grand scheme of things.
I understand these business spaces can sometimes make security employees uncomfortable. But if you can master the business language, you’ll suddenly find yourself not galaxies apart from your C-suite colleagues and board members, but rather in the same room, working together to meet the most pressing cybersecurity and business needs of the organization. That’s a good place to be.