We recently asked six senior security leaders how they approach the challenge of keeping their CEOs, senior executives and board members informed about IT security threats in general, and about the risks from Advanced Persistent Threats specifically.
I've listed six of their most pragmatic, actionable recommendations here for easy reference:
1. Skip the hyperbole, skip the hype.
The reality of today's threat environment is sobering enough. A summary of recent news articles on APT, the growth of cyber espionage, critical infrastructure threats and the cost of a major data breach ($84.4 million as reported by Global Payments, Inc. in its recent financial results release) should clearly communicate the risks.
2. If you are asking for additional resources for IT security, have a clear, well-defined plan for how the resources will reduce risk.
3. Provide regular metrics and reports on information security trends, risks and performance.
4. Educate senior execs on the negative consequences of being non-compliant and/or experiencing a breach.
One security leader candidly shared his concern that "?sometimes I feel action won't happen unless there's actually an incident that has hurt us badly." He tries to ensure that his senior management is not complacent by sharing public reports on the breaches reported by other organisations in his industry, as well as the possibility of fines and even criminal prosecution.
5. "Personalize" the risks and consequences.
If you are outlining the risks, make sure you express what could happen in a way that speaks directly to the person you're talking to --- their job, their team, their area of ownership in the organisation.
6. Manage executives' expectations --- to expect a breach.
A leading IT analyst firm recently said it very well: "It's not a question of if - but when - your organisation will experience a serious security breach." What matters is how well prepared you are, how quickly you can respond. If your senior management team has that expectation, if and when a security incident occurs, everyone will be far more focused on addressing the problem and executing a well-rehearsed incident response plan --- instead of being surprised.