A common theme at security conferences for many years was the common complaint that security departments lacked a voice at the table. CISOs were sometimes treated as second-class C-levelers, and were often not represented at the board.
(Un)Luckily, in recent years, the rise of nation-state hacking, large breaches, data dumps, and financial penalties has put security under the spotlight for many organisations.
Finally, the recognition and visibility that so many security departments have craved for so long here.
But with this, come a new set of challenges.
Dealing with a newer, and more senior set of stakeholders requires security teams to add new tools to their proverbial utility belt to be able to communicate and educate more effectively. Convincing a CEO that cyber-pathogens they read about on an in-flight magazine is nothing to worry about requires a different tack than when dealing with an auditor.
Perhaps one of the bigger challenges that presents itself to security teams is fending off the snake-oil salesmen that have been attracted by 'cyber' security and want to make a quick profit. While these types often lack the skills or expertise to improve security, they do present themselves as well-polished and well-spoken and are often well-versed in tactics needed to gain the ear of a senior stakeholder.
While all these distractions and attacks can't be thwarted, there are some strategies that CISOs and security teams can adopt to position themselves better and prevent this:
Here are five non-security tips to help security teams:
1. Put toothpicks in your data
Security historically has presented data in a rather statistical manner. But merely stating how many suspicious emails your spam filter caught is akin to describing your umbrella by the number of raindrops it stops.
The debate to find the ideal security metrics has raged on for many years without showing any signs of slowing down. One way to look at the problem is by asking how the existing data could be presented in a way that is aligned to the target audience expectations.
For example, research has found that when you tell people that what they are eating or drinking is a high-end product, they won't just say that it tastes better than a cheaper product — their brains will actually experience it as better. This was proven by two Dutch pranksters who snuck into a large food-industry expo in Houten, The Netherlands. The pranksters served McDonalds food cut into pieces with toothpicks on trays, telling attendees it was an organic product.
Tasters described the samples as tasting very rich, and very pure.
Try presenting data differently with some toothpicks and see how it changes perceptions.
Security on its own has little meaning. Many businesses will judge security teams and their effectiveness based on how they feel about it.
Most will tend to frame risk based on how they have perceived it in the past. Although this isn't wrong in some cases, at other times, particularly where experience is tied to a negative perception, these habits need to be changed - or reframed.
In this regard, there are two areas that a CISO can focus on to reframe.
The first aspect is around framing context correctly and involves framing something that seems undesirable, and showing the benefits in another context. For example, Rudolph's red nose was an anomaly that made him stick out from the other reindeers. But the red nose saved all the reindeer on a dark and stormy night.
Similarly, many security controls may seem undesirable in some situations, can become a great asset given the right context.
The second aspect is content framing, which involves changing the meaning or perception of a situation. Or it can mean changing what a situation means to the organisation.
For example, Pampers struggled to break into the Chinese market using conventional approaches of competitive pricing or touting the absorption and comfort levels. It wasn't until the company conducted sleep studies they were able to show that babies who wore Pampers fell asleep 30% faster as part of a "Golden Sleep" campaign that their sales picked up.
What parts of security will help your executives sleep 30% better?
Many times, the reason c-levels execs are not motivated by security initiatives isn't because of the way data is presented, or the framing, but rather because they are not incentivised.
This doesn't mean to say that there needs to be a direct and measurable reward for supporting security programmes, but rather pitching the idea in a way that gives them something to latch onto.
An example of someone that understands their market and how to incentivise would be that of a beggar that had several bowls in front of him, each labelled with a different religion while holding a sign asking, "Which religion cares the most about the homeless?"
What is great about this example is that instead of focusing on what he wants, he concentrates on what his audience wants.
What does your audience want? How can you use that to tap into your security initiatives?
4. Look for solutions in different places
Sometimes, solutions that are needed exist in places we would not normally think of looking.
British inventor Trevor Graham Baylis CBE invented the wind-up radio. But what was the driver behind this?
One would assume that perhaps the invention was driven by clean energy, or by radio broadcasters. But neither of these were the cause. Instead, AIDS was the driver. This invention was driven by the need to combat the spread of AIDS in Africa.
In looking for ways to stem the spread of AIDS in Africa, people needed to be educated on the dangers, the causes of spread, and preventative measures. Much of the population lived in remote villages and were illiterate so could not read informational leaflets. Electricity was scare, and television was non-existent.
To meet this need, the wind-up radio was invented and distributed, where locals could listen to the radio without the need for electricity or batteries; and through this medium AIDS awareness information could be delivered.
CISOs looking for their newest security strategy may be well-served by diversifying their sources of knowledge and approaches. Much can be learnt about security from outside of the industry.
How many non-security conferences have you attended?
5. Make it “Instagrammable”
To be successful, security needs to be accessible to the masses. Employees are often aware of security issues that are prevalent in the media, but aren't often aware of procedures internally.
It's a good idea for a CISO to ask at least three questions of employees in the workplace periodically:
- What function does the IT / Information security team perform?
- Do you know where you can find a copy of the security policy, or what it states?
- Do you know how to get in touch with the security team?
The answers may be surprising, or even disheartening. It's often not down to the fact that the role of security isn't explained, it's that amongst all the other messages employees receive, it ends up being another message that is ignored.
A good approach is to try and stop selling security and to market it instead.
Recently a Brooklyn ice cream brand increased sales by 50% after it redesigned its packaging. In doing so, it made its product 'instagrammable' in that customers wanted to buy the product, simply to take photos of it and share on social media.
What are you doing to make security more instagrammable?
When it comes to securing the data and resources of an enterprise, CISOs and by extension, the security team have visibility and exposure that they previously didn't have. But just because top management sees value in security, or have been scared into action by external incidents, doesn’t mean they’re capable to lead the way. The real change will be driven by the security teams, and for that, they will need to evolve into far more than security experts. They’ll need to “think outside the box” to effectively communicate with less-technical executives.