When a CISO approaches management for budget and support for a new cybersecurity project he or she has two main approaches:
Discuss the technical abilities of possible attackers and the dangers facing the company information systems in hope that management will either fully understand the technical details (good luck with that) or be scared enough to share the CISO's sense of urgency and approve the request.submit a business case for how the project proposed promotes business processes and aligns with the company's strategic goals.
For years we've seen the cybersecurity industry trying to push new tech, new procedures and new projects through a fear-based approach that eliminated the need for long processes and business due diligence on the one hand, while on the other - it cut down on trust and true communication between cybersecurity professionals and management.
Cybersecurity professionals, facing significant challenges from lack of budget, the global skill gap and the constant race to keep up with increasingly sophisticated cyber-attacks find learning the business environment and lingo difficult and opt for the easier (and successful at times) fear-based approach easier to adopt.
After years of preaching about the importance of business context of cybersecurity to CEOs, CISOs, board members, senior managers and anyone else who would listen, I decided to go back and do a little research. I wanted to know if this is how decision makers still consider cybersecurity initiatives or if scare tactics still work like they use to in past years.
"The Survey"
Searching through my LinkedIn contacts and found over 300 CEOs and decided to impose on this LinkedIn relationship to gauge the market. I messaged each CEO with a simple question: “Would it be easier for the CISO of your organization to get approval and funding for a new cybersecurity project IF they presented it in a form of a business case rather than stated the dangers involving not mitigating the risk involved?”
Apart for 3 CEOs of small (under 20 employees) tech companies the overwhelming majority answered YES. A CISO would do better by presenting a business case than stating technical facts only.
So, Yes; the corporate world has evolved in the way it deals with cybersecurity risk (and cybersecurity professionals as well). Management would like to see a well-prepared document stating pros and cons, risk and opportunities among other business aspects of the proposed cybersecurity project.
No one can deny the compelling (and fear-based) arguments that arise from headlines in cyber-attacks on huge companies like Equifax, Yahoo and Ashley Madison which may actually win a CISO some short-term support and funding but for the long-term, creating healthy work relationships, educated communication and mutual trust is critical to a CISO’s success.
In order to create healthy, productive business relationships a CISO must start talking business and constantly look for the business context in any cybersecurity project.