One of the most important components of any cybersecurity program has nothing to do with firewalls or intrusion detection systems or cloud access security broker deployments. In fact, it’s an asset that doesn’t require licensing, rack-space or even an uninterruptable power supply.
It’s the ability of Chief Information Security Officers (CISO) and their teams to effectively engage and communicate with cybersecurity stakeholders (employees, business line process owners, customers, and executives who hold the cybersecurity purse strings) so they fully understand the role they play in mitigating (or inadvertently increasing) risk to an organization.
Stakeholder engagement (or communication skills) have been called a “soft skill” in countless cybersecurity blogs and technology magazine articles. But, there’s nothing soft about this skill: stakeholder engagement is hard. And it’s well-worth the effort.
The most effective cybersecurity leaders communicate with stakeholders regularly and strategically, and with specific outcomes in mind -- such as encouraging employees to stop using obscure and unapproved cloud-based storage services for critical business purposes such as file transfers.
Other examples of outcome-driven communication include persuading a profitable business line to modify a risky business process and convincing executives to support new cybersecurity program investments.
Annual online employee cybersecurity training alone is not effective stakeholder engagement. Neither is showing up to quarterly board meetings with a six-inch binder stuffed with KPI metrics that mean little to non-IT executives (especially when you could put cybersecurity data into a broader business context, like with the Verizon Risk Report.)
Instead, consider the following techniques and tools to improve your communication in your cybersecurity program and with critical stakeholders.
Use data to win minds -- and stories to win hearts
Two new publications from Verizon – the 2019 Data Breach Investigations Report (DBIR) and the Insider Threat Report – are brimming with data and stories that help organizations in specific industries to better understand the unique threats they face.
For example, the DBIR uses real-world breach data to illustrate how bad cyber actors attack hotels using different tools and techniques than they use when attacking healthcare organizations. Retail stores have very different risk profiles from manufacturers, and so on. And knowing this allows stakeholders across an organization to actively contribute to the defense of an organization.
With DBIR data, companies can adjust policies and procedures to be more effective against the proven attack methods that plague specific industries. A quick glance at social media posts about the recently-released 2019 DBIR shows that many CISOs and their teams are using the DBIR data to educate and influence decision-makers, all the way up to the board of directors.
For example, this year’s DBIR shows that as more companies move to the cloud, so do cybercriminals. Knowing this can drive conversations on the need to adjust corporate cybersecurity policies and business practices to strengthen cybersecurity initiatives and communication.
But data alone doesn’t always inspire stakeholders, especially non-IT employees and executives, to change their behaviors, revisit their business processes or approve a new cybersecurity investment.
That’s where stories come in.
Storytelling has emerged as a powerful tool for CISOs and their teams. Telling true, data-driven stories about cybersecurity makes the abstract real and applicable to stakeholders and their roles in the workplace.
Verizon’s Insider Threat Report, for example, features several stories – anonymized, but drawn from many of Verizon’s middle-of-the-night incident response engagements. These stories walk the reader through cybersecurity breach scenarios and how they were resolved. Using a simple, non-technical (but not dumbed-down) narrative approach, the ITR tells data breach stories that employees can easily see themselves in. This is an important step to getting employees to recognize the role they play in securing your environment.
Ever try to explain to senior executives (who don’t specialize in IT) why your cybersecurity architecture needs an upgrade? Eyes tend to glaze over when you get into the nuts and bolts of network segmentation, firewall rules and DDoS systems. So the DBIR uses a “golf course analogy” instead: investing in cybersecurity enhancements is like installing stickier sand-traps, deeper water hazards, and relocating the tees and the holes every day. Bad cyber actors, this story teaches us, are like selfish golfers: they cheat shamelessly. And we need to make navigating the course as hard as possible for them.
It may sound overly-simplified, but everyone likes a good story, especially when the bad cyber actors are so easy to dislike. Make your stakeholders the heroes of your cybersecurity story by showing them how they can make real contributions to the cybersecurity program, even if they work in a non-IT role. After all, who doesn’t want to be a hero?
David Grady will speak more on this topic at the AWS re:Inforce conference in Boston on Wednesday, June 26, 2019.
Click here for more information on how Verizon can help strengthen your cybersecurity program.