Maksim Kabakou - Fotolia
The real clue for making a difference to how businesses understand cyber risk is in the use of the word strategy.
Strategic thinking and leadership is required by all organisations if the National Cyber Security Strategy is to be realised.
But, as we all know, engaging with our business leaders and boardrooms on cyber security can sometimes be as challenging as understanding the threat landscape in the first place.
According to Osterman Research, only 37% of IT security professionals believe risk is reduced as a result of conversations with their boards. If the idea of these reports is to reduce organisational risk then we need to find a different language to engage with boards – and fast.
At the moment communication may well be trapped in a cognitive and complex level. This is what should be informing the strategy, but isn’t the strategy by itself. Information security professionals need to look at other ways of pushing messaging to leaders.
Some practical examples might be to utilise the content coming out of the National Cyber Security Centre (NCSC) in regular reporting, along with using the National Cyber Security Strategy as a means of framing the need to boards in a way they will understand.
Utilise communication teams and find language that will encourage business leaders to bring their skills to the table in a more hands-on way than simply agreeing to funding for projects or software.
In this way, a more embedded, resilient and fit for purpose strategy can emerge which will then provide the security input into all business strategies throughout the organisation. This will include physical systems too.
We know that boards want to have a clear message from their security professionals and cyber security is a priority, but there is a serious disconnect in perception in how good business really is at using the strategic skills of its leaders.
Read more from Computer Weekly’s Security Think Tank about how infosec pros can communicate cyber risk
Further Osterman Research shows that 70% of board members report they understand everything being said to them by their IT decurity professionals. Yet, as we have seen, IT security professionals feel risk is not being reduced and this is ratified by two in five board members saying the same; effectively contradicting themselves. Therein lies the challenge; force our way through that faulty perception and create some clarity.
As information security professionals, we have a responsibility to make sure we find a way to communicate with them and all business units and actually reduce risk by understanding it. Our business leaders cannot possibly be understanding what they are reading if there is no resulting risk management based on it.
If the risks are understood, the National Cyber Security Strategy communicated and an effective strategy and leadership in place, we can start to have hope of resilience and genuine cyber risk management.
Mike Gillespie is director of cyber research and security at The Security Institute.