Translating Cyber-Threats into Business Risks
Aside from the relentless barrage of cyber-attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with efforts to keep these threats at bay.
There is great potential for things to get lost in translation when cyber-threats and remedies for protecting the organisation are communicated with non-security professionals.
Well-publicised breaches at Target, Ashley Madison, The US Federal Office of Personnel Management (OPM) and TalkTalk show that it is much easier to raise awareness if you define risks in everyday terms. A £10 million fine, a tarnished reputation or lost customers is far more impactful to business leaders and frontline staff than general references to “non-compliance” or data leaks.
The magnitude of the impact of these breaches is catapulting cybersecurity right up the business risk register, but there is still work to do. Ponemon research found that board members are increasingly aware of cybersecurity, but lack an understanding of the issues, which must limit their ability to evaluate situations and respond appropriately. The US NACD found that directors are dissatisfied with the information and clarity of cyber risk information they are given. This must be rectified before cyber-threats can be tackled effectively.
Tell Them Why They Should Care
One challenge in bridging the communication gap is that cyber-threats mean different things to different people and invariably impact different elements of the business. If the link between a cyber-threat and its ramifications are not clear, risks to the wider business can be obscure. To change this, security professionals must translate cyber-threats into business risks; presenting each part of the business with understandable and relevant information. This means stating not what the threat is, but providing intelligent metrics for cyber-risk. Impacts must be tuned to the specific mandate of the individuals – a CFO will be more concerned with financial impacts than a CEO who would focus on reputational and strategic impacts.
Turn Everyone Into a Cyber-Risk Sentinel
Aside from dealing with the difficulty of translating between technical and business issues, there is a need for greater collaboration in the security and compliance processes. There are more useful ways to approach compliance than seeing it as an annual tick-box activity. It must become a continuous, real-time process; with inbuilt quality improvement. Businesses need intelligent metrics for cyber-risk that show live, up-to-date security and compliance status of key systems and processes. This enables instant identification of problems and allows them to be dealt with before they become serious. Becoming fluent in risk means information is presented in a common and meaningful language across the business, so its importance is clear to everyone.
Ultimately, cybersecurity is not just an IT concern. It is a business-critical issue with ramifications for everyone. The only way to tackle threats effectively is to turn everyone into a business cyber-risk sentinel, so they understand risks relevant to their own role or part of the business.
This collaborative approach will decrease the risk that a business will be hit by a damaging breach or a costly fine; but it also reduces the risk of cyber-threats to the business being lost in translation.
by Piers Wilson, Head of Product, Huntsman Security
This article was first published on The Fintech Times.