Adapting to the Changing Role of Cybersecurity
There is a growing acceptance that cybersecurity needs to be dealt with at a board level, but with this comes the challenge of translating technical language into business risk. Zulfikar referred to this communication barrier as the gap of grief. He explained: “A CFO might ask, ‘what’s our exposure to loss?’ The CEO may be interested in, ‘What’s the impact to our brand?’ We need to learn how to articulate the impact from a security level to a business level.”
Speaking of his own career path, having first worked as a lawyer and later as a CIO, Ang explained: “Lawyers are not traditionally technology friendly given that everything is based on 100-year-old cases. Sometimes you need people from outside the tech scene, who have crossed in and then back out, so they can speak the language of the profession.”
One way to really get the board thinking about cybersecurity risk is to practise an incident response scenario said Diana Kelley. “There’s nothing like having a hot seat interview with your media spokesperson, like the CEO, especially if you put them in front of a camera. It’s like they change as though they’re really on TV.” Kelley emphasised that if an organisation’s spokesperson says the wrong thing to the media whilst the details of a cybersecurity incident are still being revealed, the implications for the company are potentially significant. “If you can put them in front of a camera, that’s priceless.”
Getting the Message Across
Part way through the discussion, I asked the panellists, why is the cybersecurity industry still talking about the same problems and best practices as we have been for years? Issues like backing up your data, patch management and investing in IT security training are just a few points that always come up in any discussion, so why are we still repeating ourselves?
Dr Hugh Thompson explained that cybersecurity is still a very young industry that has been forced to grow up quickly. Whilst the attendees at RSA are likely aware of what needs to be done, there are still lots of companies out there that do not realise how vulnerable they are.
Another factor is that ultimately, we’re humans, posited Diana Kelley. “We want bright and shiny things that are going to solve all our problems. If you want to be healthy, you have to eat right and exercise. It’s same with security, you have to do these hygiene things. We all want the easy way out and it may seem boring to do backup and patching, but it’s crucial and some companies are not getting it yet.”
Of course with the growth in smart devices and IoT, the vulnerability landscape we all face, consumers and companies will increase. Ang explained: “We have had centuries to learn about locking the door when we leave our house, but a very short period of time to learn best cyber practices. It’s the role of the cybersecurity industry, journalists, academia and everybody to continue spreading the message.”
Sign up for CIO Asia eNewsletters.