Barracuda’s latest research shows that business leaders can struggle to understand cyber risk. Just over a third (35%) of the smaller businesses surveyed for a recent international study say that senior managers don’t see cyberattacks as a significant risk — although a quarter admit that leaders aren’t kept up to date about threats facing the organization.
“It can be hard for senior managers to understand the cyber risks facing their organization,” said Riaz Lakhani, CISO at Barracuda Networks. “This is not a question of management failure; it is difficult to be interested in or care about something you don’t fully understand. CISOs need to be storytellers. They need to be able to influence people at all levels in the organization and help them to understand and engage with security policies, incident response, and more. The time spent listening to and learning about your key stakeholders is one of the best investments you can make.”
In a new guide, the CISO script: How to talk to business leaders about security risk, Lakhani outlines the three key conversations every CISO needs to have:
- With technical colleagues, such as engineers, developers, security researchers: These are the people you might one day be calling at 02.00 am with an urgent request, so it helps to build strong relationships and understand how security looks from their perspectives.
- With senior managers: Regular, scheduled meetings with the most senior stakeholders in critical risk areas such as engineering, finance, and legal, looking at how things are evolving in the threat and security landscape and what this means for the business roadmap, risk, compliance, and more.
- With the board: Every board is different. Learn what you can about the people around the table and make sure your slides speak to them in a language and concepts they will understand. What is the key to capturing their interest and attention?
“Senior managers and the board have one big question: How can we make ourselves resilient in a world where cyber incidents are common, unpredictable, and potentially destructive?” said Keri Pearlson, Author of A Tool to Help Boards Measure Cyber Resilience and Board Member, Barracuda Networks. “The conversation needs to center around the priority risks the company faces, for example through the supply chain, and what happens if an attack succeeds. The board want to know that their CISO has given thought not just to keeping the bad actors out, but to how to respond and recover from an incident so that operations can continue, and they won’t lose the company.”