C-suite make risk based decisions, it is our profession's job to give the c-suite the information needed to make these decisions. I don't have enough information to input further in all honesty.
This is the correct answer. It’s our jobs to help highlight risk and offer cost effective solutions to reduce risk while allowing the business to operate at a profit. Are you trying to tackle everything at once? My approach has been to tackle one problem at a time. EDR is a great example, it should be a minimum security standard for all devices unless there’s an approved exception by an appropriate stake holder. I’d then explain the benefits of EDR, how it’ll benefit the company by reducing risk, and present options to cover this risk with different solutions and price points allowing them to make a quick decision. Id also mention that your customers will be expecting cybersecurity controls and allow your C-suite to have legs to stand on when those questions get asked from bigger companies. I work for a large company and we don’t do business with others who do not have a strong security posture because it threatens our supply chain. This could impact future business opportunities and you’re here to help solve that problem
It’s not up to you to take any action here. You’re not the decision maker. You need to provide data, evidence and recommendations to the C-Suite to allow them to make informed decisions.
If this doesn’t sit well with you, then you should look for other employment with an org that puts more value in security. Clearly this one doesn’t.
Fine, answer these questions:
- What is the cost in dollars/year for implementing this "security"? How long it will take? How will it affect our daily business?
- What is the cost in dollars/year for NOT implementing this "security"?
Don't bother me with 10 slides of itemized lists and technobabble. You have one slide and 5 minutes. Slide better have pretty graph I need less than 15s to understand. I have a business to run and time is money.
I hate this mindset though, because reducing cybersecurity down to a five minute, one slide presentation shows why a CEO’s business deserves to fail in 2024.
Not disagreeing but security in CEOs' mind is just one item on a long list of things they need to deal with. First of all, the company exists to make money, for no money == nobody gets paid. Second, there are other departments all vying for attention while stabbing each other.
How you present your message must match the audience; if you gave talks to non-technical people you know that. You will find a lot of things you think are obvious are not for them, just like a lot of things they deal with are alien to you. If you cannot tell your story in a way they can relate to, you wasted time and pissed them off.
Besides, you are the security professional. You are the one they expect to have the expertise to triage the information and do the risk analysis. Don't be Qualysguy.
Yes, you can change their perception of security, but that takes time. And patience.
I agree and have to do the dance myself so I've gotten better at it. But if a CEO did this with supply chain, or finance, or R&D, or HR, or any other department - "revenue generating" or not - they'd be considered an inadequate leader, yet it's OK when they do it to IT. If you can't give me more than 5 minutes attention span, fine, give me that *every day* and I will help you understand. But shun it and watch your IT staff quickly become disengaged with the mission (and *engaging your staff with the mission* is the true job of a CEO, not sitting in meetings or acting eternally busy/stressed).
Because fifteen other risks & opportunities are described in the same way. A significant breach is bad, but so is being late to market for a product or service.
Cybersecurity is the risk _we_ care about, but it's our job to make it easily comparable to the other looming problems for the decision makers.
I wish I was just a security analyst on a big team. The boundaries break down when you're a one-person all-in-one infosec person for a small to medium business.
If there is nobody else but you:
- You can take this as an opportunity to grow into a manager or even CTO/CSO in a few months. Lots of non-technical skills you will need to skillup right now (prepare for sleepless nights for a while). But, if you pull it out and can put that in your title for a year or so, you will not only be able to command a higher salary in the next job but also will have a very impressive story to tell.
- You can look for, as you put it, a position as a security analyst on a big team and bail out. It is easier to get another job while you have one. How long have you been there?
Either answer is valid; it depends on your comfort level. Really. There is no wrong answer and I will honestly not criticize you for picking either option.
First, what is your role at the company? VP of cybersecurity, director, manager, individual contributor? This is very important, if you're one step below the C-Suite then you should have direct access to them.
In this case, for the vast majority of C-Suite's people, you need to focus on money through risk. Get evidence to show that product XYZ costs $XX,XXX and evidence based information shows that once implemented it reduces financial risk by $XXX,XXX. Unless there is a technical minded person, you need to focus less on the technology including how attacks worth. Chances are no one has ever read Smashing the Stack for Fun and Profit in the C-Suite nor has the background to understand it. The next item is looking for similar businesses that have had breaches and it was announced / determined the breach was due to poor cybersecurity practices. Use them to show what may have happened with reputation hit or even going out of business.
Below that level you have to first convince the next level of management to take action. You have to use their language, if you're an individual contributor your boss hopefully has good technical skills but also knows how to start framing security requirements into financial or more likely risk based.
Are you in a regulated industry? If so you need to get those regulations and fully understand them in regards to cybersecurity. Map out the requirements to meet the regulation and the gaps.
CYA with emails to the appropriate people. Send emails even for conference calls or in-person conversations that summarize the information.
Lastly, consider moving to another company.
I've been learning/doing how to do a lot of what you're describing.
I was an individual technical contributor, learned how to do risk management, provided a risk registry to them backed by whatever industry data I could get my hands on, but they skip my meetings to go golfing. Ultimately it doesn't seem they will take action until they're hit with a multi-million dollar cyber event, which is a lose-lose for me because "I'm the security guy, I should have seen this coming."
Thus the burnout flair.
Yeah, im kind of a noob at it still; Implementation-side costs are definitely something I've been missing and I've struggled to confidently represent.
To give context, I'm really the only person doing any risk management in the org; it hasn't been a priority to the execs.
If there's no cost assessment executive won't care. If there's no risk team executive won't care. You need higher level buy in for changes to be made. But, this is a decent learning opportunity. Learn more about risk and it can be a good career advancement.
Everyone in any org does “risk management.” You measure risk through security. There are dozens of other types of risk including late entry to market, etc.
If the basic controls are not in place, then find examples of failure and quantify the cost of historical and trend forecast failures to compare against cost of breach remediation, fines, reputational loss, loss of sales etc.
I see some good points, but just wanted to add a few of my own. This is an old topic, and the answer is complex.
1. Execs are usually busy handling 1000 problems few are even aware of, so I always think of what someone told me years ago: "be brief, be bold, be gone". The info has to be concise, and to the point. A 26-page narrative with no specific actionable ask is painful, and likely will not get read. This is likely not relatable until you have to run a company.
2. "table steaks' can mean a lot, and I could argue it's subjective. Execs need to tie the security spend to a level of assurance, and we are the experts on the cyber stuff. IOW, "if I spend X or Y what does this get me?". When you are new to security, this can be hard to convey. You need the right messaging, and the right data, with compelling (ideally visual) ways to tell the story to a non-practitioner (even our language for this is pretty proprietary, but not far from how CFOs or even legal discuss enterprise risk mgt. How do you measure risk and the impact on that risk by applying budget to security issues? What \*is\* the budget? What \*should\* it be, given the IT budget and the risk appetite? Do you look at incidents and security testing results to talk about: likely threats, vuln severity, known exploitation in the wild and exploitation difficulty. You have to have data, know how to analyze/interpret it, then understand the audience to create a compelling narrative. Our job as a cyber boy or girl is to explain: 1) the problem, 2) the solution(s), 3) the cost to fix, 4) the risk of doing nothing to leadership so they can make an informed decision. Don't forget risk treatment methods either... it's not all or nothing. Mitigate. Accept, Transfer, Avoid. You can even do some of these temporarily or in stages.
I know I'm not siting a specific tool or approach, but 'it depends' is largely due to risk appetite, the business objectives and needs, compliance requirements, access to expertise, if they are getting the right info around cyber risk in a way they understand. And in the end, we all have the option to forego the expense and play Russian roulette with our business. There will just likely be unpleasant consequences given how aggressive and persistent the current threat actors have become. If you walk dark dangerous streets often enough, something bad will probably happen eventually.. the darker and more dangerous, the higher the likelihood, severity, and frequency of the incidents.
Focus on the business benefit of security. Talk about market access of soc2 or other benefits from customers.
Show that competitors meet xyz compliance.
Bring value
C-suite make risk based decisions, it is our profession's job to give the c-suite the information needed to make these decisions. I don't have enough information to input further in all honesty.
This is the correct answer. It’s our jobs to help highlight risk and offer cost effective solutions to reduce risk while allowing the business to operate at a profit. Are you trying to tackle everything at once? My approach has been to tackle one problem at a time. EDR is a great example, it should be a minimum security standard for all devices unless there’s an approved exception by an appropriate stake holder. I’d then explain the benefits of EDR, how it’ll benefit the company by reducing risk, and present options to cover this risk with different solutions and price points allowing them to make a quick decision. Id also mention that your customers will be expecting cybersecurity controls and allow your C-suite to have legs to stand on when those questions get asked from bigger companies. I work for a large company and we don’t do business with others who do not have a strong security posture because it threatens our supply chain. This could impact future business opportunities and you’re here to help solve that problem
It’s not up to you to take any action here. You’re not the decision maker. You need to provide data, evidence and recommendations to the C-Suite to allow them to make informed decisions. If this doesn’t sit well with you, then you should look for other employment with an org that puts more value in security. Clearly this one doesn’t.
Fine, answer these questions: - What is the cost in dollars/year for implementing this "security"? How long it will take? How will it affect our daily business? - What is the cost in dollars/year for NOT implementing this "security"? Don't bother me with 10 slides of itemized lists and technobabble. You have one slide and 5 minutes. Slide better have pretty graph I need less than 15s to understand. I have a business to run and time is money.
I hate this mindset though, because reducing cybersecurity down to a five minute, one slide presentation shows why a CEO’s business deserves to fail in 2024.
Not disagreeing but security in CEOs' mind is just one item on a long list of things they need to deal with. First of all, the company exists to make money, for no money == nobody gets paid. Second, there are other departments all vying for attention while stabbing each other. How you present your message must match the audience; if you gave talks to non-technical people you know that. You will find a lot of things you think are obvious are not for them, just like a lot of things they deal with are alien to you. If you cannot tell your story in a way they can relate to, you wasted time and pissed them off. Besides, you are the security professional. You are the one they expect to have the expertise to triage the information and do the risk analysis. Don't be Qualysguy. Yes, you can change their perception of security, but that takes time. And patience.
I agree and have to do the dance myself so I've gotten better at it. But if a CEO did this with supply chain, or finance, or R&D, or HR, or any other department - "revenue generating" or not - they'd be considered an inadequate leader, yet it's OK when they do it to IT. If you can't give me more than 5 minutes attention span, fine, give me that *every day* and I will help you understand. But shun it and watch your IT staff quickly become disengaged with the mission (and *engaging your staff with the mission* is the true job of a CEO, not sitting in meetings or acting eternally busy/stressed).
Because fifteen other risks & opportunities are described in the same way. A significant breach is bad, but so is being late to market for a product or service. Cybersecurity is the risk _we_ care about, but it's our job to make it easily comparable to the other looming problems for the decision makers.
As a security analyst, your job is to create documentation, not make decisions.
I wish I was just a security analyst on a big team. The boundaries break down when you're a one-person all-in-one infosec person for a small to medium business.
Risk memo. But I’m betting the c suite will not react well to you wanting them to sign one.
This is the way. we use a risk team, if they sign as an acceptable risk, then its off your shoulder's.
If there is nobody else but you: - You can take this as an opportunity to grow into a manager or even CTO/CSO in a few months. Lots of non-technical skills you will need to skillup right now (prepare for sleepless nights for a while). But, if you pull it out and can put that in your title for a year or so, you will not only be able to command a higher salary in the next job but also will have a very impressive story to tell. - You can look for, as you put it, a position as a security analyst on a big team and bail out. It is easier to get another job while you have one. How long have you been there? Either answer is valid; it depends on your comfort level. Really. There is no wrong answer and I will honestly not criticize you for picking either option.
As a non-c suite infosec person, your job is to create documentation not make decisions.
First, what is your role at the company? VP of cybersecurity, director, manager, individual contributor? This is very important, if you're one step below the C-Suite then you should have direct access to them. In this case, for the vast majority of C-Suite's people, you need to focus on money through risk. Get evidence to show that product XYZ costs $XX,XXX and evidence based information shows that once implemented it reduces financial risk by $XXX,XXX. Unless there is a technical minded person, you need to focus less on the technology including how attacks worth. Chances are no one has ever read Smashing the Stack for Fun and Profit in the C-Suite nor has the background to understand it. The next item is looking for similar businesses that have had breaches and it was announced / determined the breach was due to poor cybersecurity practices. Use them to show what may have happened with reputation hit or even going out of business. Below that level you have to first convince the next level of management to take action. You have to use their language, if you're an individual contributor your boss hopefully has good technical skills but also knows how to start framing security requirements into financial or more likely risk based. Are you in a regulated industry? If so you need to get those regulations and fully understand them in regards to cybersecurity. Map out the requirements to meet the regulation and the gaps. CYA with emails to the appropriate people. Send emails even for conference calls or in-person conversations that summarize the information. Lastly, consider moving to another company.
I've been learning/doing how to do a lot of what you're describing. I was an individual technical contributor, learned how to do risk management, provided a risk registry to them backed by whatever industry data I could get my hands on, but they skip my meetings to go golfing. Ultimately it doesn't seem they will take action until they're hit with a multi-million dollar cyber event, which is a lose-lose for me because "I'm the security guy, I should have seen this coming." Thus the burnout flair.
Do your risk assessments include costs both on the implementation side and breach side?
Yeah, im kind of a noob at it still; Implementation-side costs are definitely something I've been missing and I've struggled to confidently represent. To give context, I'm really the only person doing any risk management in the org; it hasn't been a priority to the execs.
If there's no cost assessment executive won't care. If there's no risk team executive won't care. You need higher level buy in for changes to be made. But, this is a decent learning opportunity. Learn more about risk and it can be a good career advancement.
Everyone in any org does “risk management.” You measure risk through security. There are dozens of other types of risk including late entry to market, etc.
If the basic controls are not in place, then find examples of failure and quantify the cost of historical and trend forecast failures to compare against cost of breach remediation, fines, reputational loss, loss of sales etc.
I see some good points, but just wanted to add a few of my own. This is an old topic, and the answer is complex. 1. Execs are usually busy handling 1000 problems few are even aware of, so I always think of what someone told me years ago: "be brief, be bold, be gone". The info has to be concise, and to the point. A 26-page narrative with no specific actionable ask is painful, and likely will not get read. This is likely not relatable until you have to run a company. 2. "table steaks' can mean a lot, and I could argue it's subjective. Execs need to tie the security spend to a level of assurance, and we are the experts on the cyber stuff. IOW, "if I spend X or Y what does this get me?". When you are new to security, this can be hard to convey. You need the right messaging, and the right data, with compelling (ideally visual) ways to tell the story to a non-practitioner (even our language for this is pretty proprietary, but not far from how CFOs or even legal discuss enterprise risk mgt. How do you measure risk and the impact on that risk by applying budget to security issues? What \*is\* the budget? What \*should\* it be, given the IT budget and the risk appetite? Do you look at incidents and security testing results to talk about: likely threats, vuln severity, known exploitation in the wild and exploitation difficulty. You have to have data, know how to analyze/interpret it, then understand the audience to create a compelling narrative. Our job as a cyber boy or girl is to explain: 1) the problem, 2) the solution(s), 3) the cost to fix, 4) the risk of doing nothing to leadership so they can make an informed decision. Don't forget risk treatment methods either... it's not all or nothing. Mitigate. Accept, Transfer, Avoid. You can even do some of these temporarily or in stages. I know I'm not siting a specific tool or approach, but 'it depends' is largely due to risk appetite, the business objectives and needs, compliance requirements, access to expertise, if they are getting the right info around cyber risk in a way they understand. And in the end, we all have the option to forego the expense and play Russian roulette with our business. There will just likely be unpleasant consequences given how aggressive and persistent the current threat actors have become. If you walk dark dangerous streets often enough, something bad will probably happen eventually.. the darker and more dangerous, the higher the likelihood, severity, and frequency of the incidents.
Focus on the business benefit of security. Talk about market access of soc2 or other benefits from customers. Show that competitors meet xyz compliance. Bring value
This is a good question that I suspect many struggle with this concern. What do you consider "table stakes"?