make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Security Leadership Series: Be a Code Talker, Not Chicken Little

10/22/2018  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

If you’re not familiar with the popular children’s fable Chicken Little, it’s the tale of a chicken who walks around proclaiming, “The sky is falling!” because he believes disaster is imminent. Chicken Little takes on this cause to warn people that the world is coming to an end.

Unfortunately, it’s easy for cybersecurity leaders to fall into the same trap that Chicken Little did. The idea that, “It’s not a matter of if we get compromised, but when,” has become a popular catchphrase to use when creating awareness around the importance of cybersecurity. And, while that statement may technically be true, phrasing it that way could actually completely undermine a cybersecurity leader’s efforts for getting needed budget or resources. 

Here’s why: If you say, “it’s not a matter of if, but when,” to a non-cyber savvy CEO, he or she might think, “If I’m going to get compromised anyway, why should I bother spending any more money on cybersecurity at all?  After all, the company is under budget pressure as it is, so our best course of action may be to play the odds, hope we don’t get breached, and deal with it at the time, if we do.” You’re undermining your message when you run around like Chicken Little, claiming that the sky is falling all the time. 

Be a Code Talker Who Translates Important Issues for Leaders

So, how do you keep cybersecurity top of mind without constantly reminding leaders of the potential dangers facing the company? 

Rather than running around like Chicken Little, try to approach your conversations like a code talker. Made famous by the movie Windtalkers, code talkers were Native American marines who shared and translated secret messages during World War 2. If you can tailor your communication and message to terms and concepts that your business leaders can relate to, much like the code talkers did during WWII, you’ll have a much better chance of getting them bought in to supporting the company’s cybersecurity efforts.

One way to translate and reiterate important information is to take advantage of what’s happening in the news. When you see an article on a cybersecurity issue or recent breach in the Wall Street Journal or another respected trade publication, you can leverage it to address and inform your senior leadership team.

The next time you come across a cybersecurity article that’s relevant to your business or industry, consider sending it to key members of your leadership team with the following note:

“You may have seen this recent article in the Journal about company X that had a cybersecurity issue. You may be wondering if our company could experience a similar issue. We’re analyzing what we know about that now, and, if you’re interested, I’d be happy to give you a briefing on whether or not we are similarly at risk and how our organization is prepared for that same issue.” 

Of course, your executive team might never follow up with any questions about that specific issue, but that’s not the point. Taking the time to share relevant industry news helps them know that you’re there, that you care, and that you’re working on the organization’s behalf to protect against a similar threat. It also subtly reinforces the need for a cybersecurity program. Because some executives still fall into the trap of thinking that a cybersecurity issue won’t happen to their company, periodically seeing respected peer organizations in the news helps to break down that mistaken perspective.

Don’t Let Your Cybersecurity Efforts Get Lost in Translation

Being able to communicate with your senior leadership team about important cybersecurity initiatives is a critical skill. Continually highlighting how the company’s cybersecurity efforts are facilitating the achievement of the larger objectives of the organization is essential for getting the necessary resources to build the kind of cybersecurity program you need. Avoid technical jargon that business executives won’t understand (more on this in a later article) and Chicken Little-style threats (“if we don’t do this, we’ll be hacked for sure”), align your initiatives with company priorities, and you’ll be more likely to get support for your cybersecurity program efforts.

As seasoned leaders in the information security industry, our team at LBMC Information Security is here to equip you with the tools, resources, and insights you need. Subscribe to our blog or podcast to stay up-to-date on the latest cybersecurity news and trends. You can also explore our Security Consulting services or contact us today to learn how we can help you with information security solutions.

This blog is the second in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.

Posted in: Security Consulting