Not long ago I attended a dinner with about 25 national cybersecurity thought leaders. As introductions progressed around the table, each person spoke passionately of their concerns regarding significant aspects of cybersecurity, such as cybercrime or information warfare. I reflected on how their perspectives, while aligned to mine, seemed to be missing the “click up.” My vision was being focused through the CSO lens where every day I am leaning backwards in a foxhole at the pointy end of everybody's spear – whether cybercriminals, regulators, executives, IT peers, you name it – all of them taking shots.
So when my turn arrived, I was fixated on the looming cybersecurity gaps that I see (or don't see) every day. Topping this list is communications. These must be crisp, concise, transparent and influential at all levels, and to all key stakeholders internal and external.
Next comes compliance. This is essential to running the business. In my case, it consumes the majority of my resources. It's important to remember that compliance is not security, and security is not compliance.Technology is the next priority. The cloud, new platforms, mash-ups, third-party/user contribution, and more, are all, for the most part, absent any real focus on security, but they create a much greater demand for security. Unfortunately, many strategies make use of the same old security technology band-aids with incremental improvements, and there are no game changers in sight.
Did I mention the bad guys? They have become more effective, far more organized and economically motivated. We've come a long way from the era of script kiddies.
But above all, my comments at the dinner focused on the most difficult problem I face every day: effective communications. We need to start getting serious. Unless my CEO starts using the word “cool” as a way of expressing acceptance and starts sending me texts signed BFF, then I need to banish hacker speak – no use of such terms as trojans, worms, viruses, phishing, and more. I need a grownup cybersecurity language and taxonomy. I need standardized metrics, similar to financial metrics, that are effective measures of security health and effectiveness and are applied consistently across industries. These terms should be recognizable to all C-level executives and regulators.
The fact is, most C-level executives might be supportive of cybersecurity, but they don't know what it is, thus having a fruitful conversation is elusive. Subsequently, the lack of effective communications stretches everyone's patience and plays out dramatically when characterizing priorities and getting the needed resources to defend the organization.
My former CEO once framed it this way: Security budget meetings are not about the money. It is much more about trying to balance the company's needs while ensuring effective security without being over-indulgent.Let me give you an example. When my wife and I brought our newborn daughter home from the hospital, as inexperienced and anxious parents we were always asking ourselves: “Are we feeding our baby enough?”
I blurted out: “Well, I guess you will have to trust me.”
Without effective communications, CSOs are doomed from the outset or dismissed as “purple squirrels,” a characterization bestowed by one business colleague on security professionals owing to the fact that we are often incomprehensible. CSOs need to better educate executives, develop business language and sensible metrics, and then become effective business thought-leaders. In that way you will own the outcomes.
This year at RSA, in a gathering of government and industry colleagues, I suggested that the group champion a common cybersecurity language and taxonomy. But everyone wanted to chase or thwart the bad guys. By failing to effectively communicate the security imperative, we will ultimately fail at executing the mission and wind up chasing the bad guys on tricycles.
The profession has certainly come a long way in a short time, but now is the time for greater innovation and security maturity.