How should CISOs and CIOs talk to board members, business leaders and other colleagues about cybersecurity and cyber-resilience – and bring the message across effectively?
Business leaders and colleagues who are not technically proficient in digital technologies and cybersecurity easily become the weakest link in your organization’s cyber-defense strategy. But having that conversation with them can be tough…
CybersecAsia sought out some fundamental help from Riaz Lakhani, Chief Information Security Officer, Barracuda Networks, who recently released a new guide to help CIOs and CISOs to have these difficult conversations.
Within CISO script: How to talk to business leaders about security risk, Lakhani outlines the three key conversations every CISO needs to have about cyber-resilience with colleagues – spanning technical colleagues like engineers, developers, security researchers, to senior management all the way up to the board – including details and tips on how security looks from their perspective and how to communicate in a language they understand.
What challenges do CIOs and CISOs face when it comes to communicating cybersecurity issues?
Lakhani: For a CIO or CISO, communicating cybersecurity issues to varied audiences across an organization can pose many challenges.
Firstly, it can be difficult to translate complex technical information into language that non-technical executives and board members can easily understand.
Another hurdle is addressing the varying levels of awareness or interest among employees, which can make it even more challenging to ensure that cybersecurity is recognized as a business priority, and not just an IT issue.
What are the potential risks of not having these critical conversations about cybersecurity at the executive level?
Lakhani: Cyber resilience goes beyond having the right security measures — it’s about their effective implementation and governance. Achieving robust security requires organization-wide buy-in, enabling CIOs and CISOs to close security gaps and foster a culture of good cyber hygiene.
Without this, organizations can leave themselves vulnerable to attack — including increased risk of financial, legal, reputational, and operational damages due to inadequate cybersecurity investment, awareness, and compliance.
How can CIOs and CISOs effectively bridge the communication gap with non-technical senior management?
Lakhani: To effectively bridge the communication gap, CIOs and CISOs must become adept storytellers.
The first step is understanding your audience — their backgrounds, responsibilities, and how a cyber incident would impact their division or team.
Similarly, when it comes to speaking in a language your audience can understand, it’s essential to adjust the level of technical detail to ensure clarity across different organizational levels.
When communicating with the Board, for instance, focusing on the potential impact of a cyber incident on brand reputation, regulatory compliance, risk management, and financial outcomes, with relevant statistics and real-world examples can go a long way in communicating the importance of cybersecurity in a tangible and relatable way that they can understand.
What impact have recent high-profile cyber-attacks had on the perception of cybersecurity at the Board and C-suite level?
Lakhani: High-profile cyber-attacks often intensify awareness and concern about cybersecurity at the Board and C-suite levels. Media coverage of these incidents can help executives recognize cybersecurity as a crucial component of risk management and business continuity, rather than merely an IT issue.
This heightened understanding can drive leaders to prioritize and strengthen their cybersecurity measures, including the development of more robust incident response plans, ensuring the organization is better prepared to handle potential threats.
How can senior management be kept updated on evolving cyberthreats and incidents without overwhelming them with technical details?
Lakhani: Senior management can be kept informed via regular updates like readouts or presentations. The key is making sure they are kept simple and concise, with examples and anecdotes to convey key points in a way that is relevant to the audience.
In addition to this, conducting regular tabletop exercises, or simulated cyber incidents without the real-world damage and costs provides an excellent way to engage key stakeholders.
These exercises not only provide a great way to test your incident response plan and identify weaknesses, but also raise awareness about the potential impact of specific threats and security breaches, ensuring that teams are better prepared to address cybersecurity challenges.
What about cybersecurity training and awareness? What role can they play in enhancing communication between technical and non-technical staff?
Lakhani: Cybersecurity training and awareness are essential in bridging the communication gap between technical and non-technical staff. Regular training sessions help employees at all levels develop a basic understanding of key cybersecurity concepts, making it easier for technical teams to convey the importance of security measures without overwhelming non-technical teams with jargon.
This shared knowledge ensures that non-technical staff can recognize threats, understand the potential impact of cyber incidents, and follow best practices to protect the organization.
Moreover, training fosters a culture of cybersecurity, where all employees feel responsible for the organization’s security posture. When everyone speaks a common language of cybersecurity, communication becomes more effective, and collaboration between technical and non-technical staff improves.
