Towards the end of last year my colleague Zoë Rose and I spoke at IPExpo Europe 2018 in London. Our talk was part of Cyber Security X, a core part of IP Expo. The title was “If you liked it, you should have put security on it”. That title is Zoë’s doing – if it was up to me I would have ended up with something dry and boring like “Three Lessons in Cyber Security” and only five people would have turned up. Zoë’s good at making stuff interesting.
One of the slides we created for our presentation was the following:
Of all the content we created, and all the talking we did in the session, this part really resonated with me. It resonated with my experiences with my clients and in Cyber Security in general, and it resonated with our aspiration as Baringa to have consultants who understand Cyber Security, and who can also talk the language of the Board.
Let’s be clear – this is a generalisation. There are companies out there who have their Cyber Security teams fully aligned with their Executives, and there are Executives and Boards where Cyber Security is a fundamental part of their agenda. However, on the whole I’ve seen too many situations where:
- Cyber Security Practitioners use terminology which is not understood, or fail to comprehend the priorities of the business
- Executives don’t understand, or don’t truly buy in to, Cyber Security and fail to provide the funds or resources necessary to protect their business.
In particular I would highlight the most toxic combination which is where a Cyber Security Practitioner believes they’ve highlighted a major issue or risk to the Executive, and the Executive comes away with a different perception.
So what did we talk about on the day? What did we say could be done?
At IP Expo, among other recommendations as to how to communicate more effectively (e.g. establish a common language, build trust using evidence), we also made two requests. One request was for Cyber Security Practitioners to recognise and understand that the Executives and Boards have competing priorities. Focus on what your priorities are and be clear on where you are placing your bets for the year. Don’t shout about everything. If everything is urgent then nothing is urgent.
The other request was for Executives to educate themselves about Cyber Security. It’s a fair expectation that any Executive running a business will know the basics about core business practices such as Customer Service, IT and Finance. Cyber Security is in the same bucket. In the modern connected world you need to have a foundational understanding of Cyber Security in order to do business safely.
As luck would have it, within a month of IPExpo we ran a training session for the Executives at one of our clients, and one of the attendees from the client was their Cyber Security Lead. In the training session the questions that the CFO was asking of the Cyber Security Lead materially improved between the start of the session and the end, and the Cyber Security Lead reciprocated with answers that were fully understood.
Ultimately, for an Executive, I can think of a number of fundamental and important steps for you to take to protect your business, and in that list I would include training yourself.