Many companies have a fundamental information security problem, according to the co-authors of the A Leader’s Guide to Cybersecurity (Harvard Business Review Press, 2019). Those organizations pay too much attention to network and system vulnerabilities and too little attention to identifying and articulating how these exposures can damage business activities.
That’s the theme co-writers Jack Domet and Thomas Parenty pull from their book in a recent Harvard Business Review article. The pair co-founded a cybersecurity firm, and Parenty has worked for the National Security Agency. The myopic focus on technological vulnerabilities, they argue, can trigger a string of negative impacts:
- Overly technical discussions of cyber threats that limit senior executive involvement in addressing cyberrisk;
- Lengthy, ill-prioritized lists of mitigation tasks; and
- Problematic gaps in cyberrisk coverage.
The solution, Domet and Parenty assert, is to share cybersecurity information with a wider organizational audience via a “cyberthreat narrative” that addresses four components:
- Key business activities and the risks that threaten them;
- Supporting systems related to each activity;
- Potential types of cyberattacks and their possible impacts; and
- The bad actors who are most likely conduct the attacks.
Cybersecurity teams can identify the company’s most important business activities and risks through discussions with senior leaders, scrutinizing risk-tolerance statements in annual reports and assessing strategic objectives. Domet and Parenty suggest information security professionals draft the narrative components based on input from four audiences: the CEO and senior leadership team; operation, IT systems, and relevant specialists, such as those within the legal, human resources, physical security, public relations and compliance groups.
It’s almost always helpful for more experts and decision-makers to provide input on cyberrisks, regardless of whether those risks exist within the organization or among its third parties. I would ensure that the board of directors is one of those stakeholders. Santa Fe Group Chairman Cathy Allen provides practical guidance on how chief information security officers (CISOs) can deepen their board’s involvement in cybersecurity matters. For example, when presenting to the board, Cathy says that CISOs should “avoid focusing too much on technology matters. Instead, address how cybersecurity affects business strategy, operations, products and services, customer relationships and the company’s reputation.”
Cathy also promotes the power of a compelling narrative: “Illustrate key messages with vivid examples of real-world accounts of cybersecurity lapses, especially breaches that occurred within the industry,” she advises. “Highlight how cyberattacks resulted in shareholder value declines, hits to corporate reputations, and even board and C-suite terminations. Tell a story about the current state of organizational cybersecurity and illustrate your narrative with snapshots of progress, industry benchmarks, and plenty of hard numbers and dollar amounts.”
All of the CISOs I’ve known and worked with have an expert handle on the technological aspects of their roles and risks. Tying that information to business activities in a compelling story will help many of them strengthen organizational defenses.