change-executives-realityTo Truly Solve Security Issues…

Did you hear about the new IoT botnet that claims over 1 million zombie devices?

Do you know who has no clue what the above statement means?  Executives.

Do you know who makes all of the actual decisions about corporate expenditures?  Executives.

Do you know who is attending conferences, raising alarms and constantly discussing security?  Not Executives.

See the problem?

I attended a conference a couple of weeks ago and everybody was discussing plans A-F on how to stop cyber-attacks, become more resilient and somehow move the needle in the security world.  The focus kept going back to new tools, better technology, more and more security personnel and those things might be needed…

But first things, first.  We need to change the reality for executives, pull them out of the safety of blissful ignorance and present technical jargon in business terms they will actually understand.

Everything in IT/OT is eventually reduced to business terms that executive teams can incorporate into their overall business planning efforts.  Will a given technology effort drop the bottom line, open new markets or somehow increase the value of the company?  If so, in business terms, what are the risks, costs, and ROI?  Forcing security into these terms will force executives to truly pay attention and alter their perspective on what online safety means to their company.

It sounds so simple and yet in cybersecurity, it is incredibly difficult to properly convey.  Conversations have to shift from the tech world to the business world and from the bottom up to the top down.  Professionals need to start thinking like a CEO and not an engineering lead.  We need to show the business strategy, both short- and long-term, that provides the value add required to effectively transition to a secure world.

Right now business leaders point fingers to IT folks; claim ignorance or blindly spend money.  None of this is due to a lack of interest on their part – rather a lack of communication on ours.  They want to be properly engaged in conversations that make sense to them and it is our job to change the script.

At Bear, this has been a core challenge as we strongly feel that executive buy-in is essential and finding the right message, the correct benefits that go beyond the life insurance pitch most security utilizes, is critical for success.

The hackers are only going to get better and the attacks increasingly sophisticated.  As a security group, we need to bring the business leaders up to speed and give them a real plan that makes sense within their business world.  Force them to take the red pill so to speak but explain why upfront.

Until then, things are only going to get worse.