Years ago, I served as Head of Information Security for a large organization. After just 6 months on the job, we experienced every network administrator’s worst nightmare…. a data breach. As we worked to resolve the problem, it seemed like there was enough blame for everyone. IT was blamed because of their operation. Application Development and Support was blamed because of their code. Then the CIO started taking heat because security hadn’t been his top priority. Finally, the CEO came under fire for the overall performance of the team leading up to the breach.
A recent article I read by Kacy Zurkus in Security Boulevard reminded me of this situation; Zurkus does a great job outlining recent trends in cybersecurity and corporate accountability. There is no doubt that C-level executives are held just as accountable as IT teams when a breach occurs. However, that doesn’t mean that the C-suite and IT are on the same page. Knowing this, why are there continuing challenges in communication? are there continuing challenges in communication?
Communication Between C-Suite Executives and IT
There is a communication gap between the C-Suite and IT. 91% of IT pros feel that their organization is improving its cybersecurity while only 69% of C-level executives agree. Executives also disagreed with IT on data priority. They prioritized protecting employee data while IT prioritized financial data.
If IT and executive leadership are going to prepare for inevitable data breaches, we need a roadmap for communication so that we can align priorities and coordinate efforts.
3 Tips for Communication Between IT and the C-Suite
The article on Security Boulevard highlighted some good thoughts on communication with the C-Suite. Here are some ideas that jumped out at us plus a few thoughts of our own.
Tip #1: Don’t Use Industry Lingo
IT must learn to communicate complex IT issues and security threats in layman’s terms. We recommend using analogies and avoiding industry jargon. As you will see in our next tip, your communication still needs to have some meat on the bone.
Tip #2: Make Substantial Recommendations
While words like “synergy” and “collaborative” are great in presentations (not really!), they don’t do much to make your company more secure. The CEO is personally responsible for every type of issue across all parts of the company and you can help by bringing specific, actionable recommendations to the table.
Tip #3: Understand the Role of the Chief Information Security Officer (CISO) in Preparing for a Data Breach
Many companies have designated a Chief Information Security Officer (CISO) to advocate for information security within the organization. This seems like a great solution, but many CISOs are not as empowered as they could be. The CISO frequently reports to the CIO, and their interests are not necessarily aligned. This can lead to a breakdown in communication within the executive team and lead the CEO to develop a false sense of security. Consider whether a CISO would benefit your organization and think about how they fit into the corporate hierarchy.
I’ve worked in IT security for over 30 years. Many things have changed, but it occurred to me as I was writing this article that these thoughts would have been applicable 10, 20, or 30 years ago. Before concluding this article, there is one more tip that passes the test of time:
Bonus Tip #4: Get an Outside Perspective
IT security is complex, and the only certainty is that the bad guys are always looking for new approaches. Having a fresh set of eyes to analyze your data security in light of the latest threats and security resources is frequently the difference between an unsuccessful hacker and a catastrophic breach.
At SecurIT360, we specialize in delivering our cutting-edge security resources with communication that is understandable and helpful for anyone from an executive with no background to the highest-level network engineers.
We are offering a free security audit to identify the paths that could leave you vulnerable to the next data breach. Contact us today to find out more.