Maksim Kabakou - Fotolia
For people to change their behaviour, it needs to be made easy for them to do so. On that premise, if we expect businesses to understand cyber risks then we need to take several steps.
The first is recognising that security is one of the many things that businesses are concerned about.
For those in the IT security sector, it is easy to think that cyber security should be priority number one as the world becomes increasingly digitised. But it is important to remember that security risk is not special, it is just another business risk.
Different industries have different concerns. Banks and financial services prioritise resilience, retail is all about the supply chain, pharma has to balance patient safety and protection of pre-patent intellectual property.
We have to understand where we fit into those concerns and where security directly or indirectly helps manage those risks.
Another step that needs to be taken is financially quantifiying risk. A common bugbear for organisations is that security funding is often like a black hole with budget requests increasing and little to show for it.
Financially quantifying risk, while difficult to achieve, allows budget holders to make better funding decisions and are less likely to see security as a poor investment.
Security professionals must also accept that “good enough” is an acceptable state if they expect to succeed in making the business understand cyber risks.
A lot of security professionals are perfectionists and want to see things being done properly. The people holding the purse strings typically want to achieve an acceptable level of residual risk at the lowest cost.
Read more from Computer Weekly’s Security Think Tank about how infosec pros can communicate cyber risk
As a profession, we need to be better at articulating what can be achieved, at what cost and what benefits will be achieved. This allows the owners of the risk to make the right decisions in the context of their business operations.
Another step is to make advice easy to for people to understand and act on. As security professionals, it is very important that we communicate in ways that resonate with our audience.
We may be comfortable talking about data exfiltration to a CISO, but that same terminology may leave a CFO or COO confused. We have to understand the risk in the context of the business to make our advice relevant and pragmatic to implement. By doing this, we are demonstrating value as trusted advisors.
The final recommended step is to attract, develop and retain the best talent. The threats to digital business are only going to get more complex. As an industry, we need to ensure that we can attract and retain individuals who can fulfil the broad spectrum of roles that the industry has to offer.
We need to recognise and reward business engagement skills in the same way that we do technical skills and provide clear paths for progression that do not involve leaving the industry.