More breaches are occurring, and more of them are impacting the board and leading to C-level executive termination. Therefore, Michael Dierickx and his roundtable group discussed how cybersecurity can be adapted into the current culture of the business. First, the group addressed how and when to bring security issues to senior management. Typically, they are only brought up when something bad has happened or when there is a new CSO to bring up to speed, making it more of a panic reaction than a proactive approach. That needs to change. Security executives can start by paying attention to how they currently speak to senior management. Do you preach FUD to them or do you inform? Demonstrating security in a context that everyone can understand, such as in a compliance and governance context, can ensure both sides are clear on the risks and costs the business might face if security is overlooked and can help push security initiatives through. Additionally, are you talking to them in highly technical terms they do not understand or in laymen’s terms? The participants were mixed on answers to this question, with Dierickx admitting that trying to explain to the board why a cyberattack occurred has never worked for him. They do not care why it happened; they want to know how it will impact the business, who is accountable, and what remediation is possible. Above all, prioritizing risks is the most important.
Likewise, the table was greatly interested in ways to integrate security within the rest of the organization. Every participant had a Cybersecurity Month within their enterprise, typically aligning with October as that is the nationally recognized awareness month. One company even boasted a year-round program with monthly security themes. Some have developed specific training for employees using new awareness software, rewarding those who meet or exceed requirements. While no participant was from an enterprise with an ironclad security culture, all of them are striving to develop and grow the programs they currently have in place, including studying metrics to ensure what they are already doing is working and discover where improvements can be made.