Have you identified any best practices for communicating the value of a heightened security function?

1.5k views13 Comments

CIO in Telecommunication, 1,001 - 5,000 employees
Communicating the value of security is a big struggle. The problem is that the downside is just so huge. We give security great importance in my current environment, but it's hard to quantify financially. 

As CISO, I can't allow security to not work. It's not an option. If your goal is to be 99% secure, that 1% will do you in every time. On a daily basis I receive information from multiple sources that detail the extent of cybersecurity issues worldwide, including who has been compromised by whom, and using what attack vectors, etc. It is an unbelievably large problem. 

That being said, among the bigger incidents that I've seen reported, for every one that I could find details on, I'd argue some level of negligence was the reason they had these issues. They didn't have someone acting as the CISO, so no one was ultimately responsible for their IT security.  Or they didn't have system maintenance programs in place, so their systems were left exposed because they were way behind on patches and upgrades. Or they didn’t have good backups, so they couldn’t restore lost data. I could keep going but you get my point. Every single one had these glaringly obvious exposures. If you understand the job and the role, you just can't let anything go. You have to be on it all the time.

I think the best practice in communicating the value of IT security is to be transparent with the business and its leadership — transparent on the depth and breadth of the threat posed to your industry and your business; transparent on your own organization’s readiness; transparent on what is needed to mitigate the threat.
Director of IT in Software, 51 - 200 employees
IMO, security is a function that should be counted on everywhere, it's not an optional thing, it's a mandatory thing to have in anywhere in an organization. 

Depending on the context, there would be different ways to communicate the value of the security aspects. If that's about application security, probably we can start looking at https://owasp.org/www-project-top-ten/ 
VP of IT in Software, 51 - 200 employees
As a Co-Founder and VP of AI in a global company that provides threat detection AI for security, safety and compliance departments from different realms, I must say that oftentimes we get requests when a high-impact event has already happened either on these premises or in their state/industry. Which oftentimes comes as a disappointment as security approach should be proactive and preventive, rather than reactive. 

When it comes to communication with our potential clients we normally bring up case studies, ROI calculations, give evidence and stats from the industry to explain that when time matters and seconds count, it's vital to have an already set-up system, automatization and response to make up for the human factor error, lag in response time, and other main reasons for a delayed reaction to a threat. 

Within the company it's important to understand that securing your company both from the physical and cyber perspective is important not only for your own safety, but for the reputation among your customers and partners. Having certain certifications, proof of safety, etc. reassures your external stakeholders in the way you do business, and that you will be able to protect their information as well.
SVP - Software Engineering in Finance (non-banking), 201 - 500 employees
Not sure it’s necessarily best practice but telling people about the risks of cybersecurity and ransomware through real life big company examples is effective because no one wants their IP, customer data our there or want malware to run havoc in their organization 
Senior Director, Information Technology in Services (non-Government), 501 - 1,000 employees
Transparency is essential, and specific communication should be tailored to the situation. If you are justifying a stricter password policy, explaining why more complex passwords help. If you are telling people about a planned phishing simulation, give statistics about email breaches and how the simulation lowers risk.
Director in Healthcare and Biotech, 201 - 500 employees
In Healthcare i can tell you that communicating and conveying the need for security and security policy is omnipresent. I find "Best Practice" lacking, but has a place within any grey areas. People understand security protocol, but can easily lack good judgment when dealing with new technologies or unfamiliar environments.  
CIO / CDO in Construction, 10,001+ employees
1st of all, the security strategy and its objectives needs to be mapped to the business strategy/objectives, accompanied by a roadmap, org/process/technology plan etc which all enable the security strategy. The linkage to the underlying respective security standard (ISO or NIST or ...) need to be outlined as well- all of it to be represented visually for transparency and easy grasp.
Potential threat scenarios can be mapped to the corresponding counter measures from the security strategy and quantified accordingly - for anything tangible eg, impact on sales, outage of production line, missed customer orders etc. quantification is not a big challenge. It's harder however when it comes to less tangible implications on eg. company/brand image - but even there meaningful numbers can be generated...
However, some big counter argument from the core sceptics will always be used ..."this never happened before", "it's like a life-insurance plan where we pay installments but may never benefit from it"...

Director ERP Management in Travel and Hospitality, 1,001 - 5,000 employees
I will take phishing email alerts/warnings as an example. I used to teach my computer users how to identify a phishing email simply looking at the email body language, from name and address, sense of urgency in email body, signature info and phishing links etc. This communication method was very simple and effective. Most users are not security savvy and complicated security terms don't effectively work so putting together instructions in simple language would be an effective best practice, in my opinion.   
Group CIO in Manufacturing, 1,001 - 5,000 employees
This is not an easy task. I suggest a few steps.
First, agree on what is important to your business. Integrity, Compliance, Availablity etc.
Then try to estimate a value/cost in case there is a compromise to these factors.
Demonstrate how ICT security or ICT controls can contribute to minimizing the risk. Do not forget to highlight the role of other functions like compliance, finance, etc in this process.
Highlight what needs urgent attention and why.
Higlight the calculated risk we are taking and some potential shortfalls that currently exist. This is being transparent with business.
Director of IT in Software, 201 - 500 employees
From my opinion best practices for communicating the value of a heightened security function consists of many different activities.
1) preparing risk register and quantify risks and response plan. Typically cybersecurity threats will have very high values, so you need to act to reduce probability or impact. With heightened security functions you typically lower and probability and impact of such attack
2) Use metrics when talking about root cause that attacks are successful - for example most of attacks typically start with phishing e-mails or users opening malicious URL links. Use advanced mechanisms for protecting your e-mail or  use URL filtering and other protection mechanisms to assure endpoint security 
3) use metrics for impacts of successful cybersecurity attacks for companies- average loss of company in money value, reduced reputation, maybe even bankruptcy. With heightened security you can minimize probability that this happen to your company
4) increase awareness of the importance of information cybersecurity to end users, educate and teach them. People are one of most important pillar in good and successful cybersecurity protection

Content you might like

crowd strike38%

sentinel one56%

carbon black5%




CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.4k views133 Upvotes324 Comments

Very confident - they get it24%

Somewhat confident - they have some understanding71%

No confidence - sad, but true5%