improving Trust between business and cybersecurity leaders

I first noticed it a few years ago. I was speaking with a CFO about financial auditing when he asked about my background. I’d barely spoken the word, “Cybersecurity” when launched into an angry tirade. “We are spending almost five times what we spent ten years ago, and our chances of being breached are HIGHER today than they’ve ever been. At this rate, only the biggest companies will be able to afford Cybersecurity.” I’ve run into similar sentiment several times since. It’s usually more frustrated than angry, like when a CEO asked me, “Will Information Security ever be cost effective?”

Many in Cybersecurity don't realize there's a trust gap between Information Security (Infosec) leadership and business leadership. The gap goes back to the time when Infosec was part of Information Technology (IT). Back then, a CEO told me, "I've noticed our IT guys always have the biggest monitors." He trusted IT to deliver Information Technology services, but he had some doubts about how judiciously they spent company money. That CEO overlooked possible excesses because IT provided powerful competitive advantage. In the Great Recession of 2008-2009, IT leveraged new technologies significantly reducing costs while improving service.  These cost reductions allowed some businesses to post positive earnings instead of losses. IT leaders were heroes to their counterparts in Finance.

While IT value was on the rise in business leaders' minds, organizations separated Cybersecurity  from IT making it an independent budget and team. Since then, Infosec budgets have grown 5-10X in many organizations, and for most -- as the angry CFO said -- the risk of breaches is higher today than it was a decade ago. This is at the heart of the trust gap. Businesspeople don't understand how Infosec people could spend "all that money" and still suffer expensive breaches. This issue is a communications failure. Infosec leaders are similarly frustrated. They are fighting a never-ending war against legions of attackers, and few have time for meaningful, productive conversations with business leaders.

I’m not the first to see this gap as a communications failure. In the last decade, as hard costs for a single breach climbed past $1 Billion, top Infosec leaders –- often titled CISOs, for Chief Information Security Officers –- found themselves reporting to CEOs or Boards of Directors. CEOs and Boards rarely understand what CISOs are saying, let alone what they're up against. Many CISOs have a hard time explaining their plans, decisions and associated risks in business terms. Long gone are the days when InfoSec was part of the Chief Information Officer’s (CIO) IT organization; most CIOs are politically savvy MBAs who have no trouble communicating in business terms.

Some believe having CISOs learn Risk Management and Finance will erase the  gap. That may be the long-term solution, but it is not realistic today. The typical CISO is attempting to build a coherent defense from dozens of nascent, disparate Cyber solutions that lack automation and integration while defending against a continuously evolving collection of attackers and attacks, called the Threat Landscape. Many CISOs also face a difficult people management task: coordinating technical leaders from multiple Infosec silos, including workstations, identity, servers, and networking. These silo teams are often territorial and competitive, requiring CISO involvement to create the cooperation required for effective Information Security.

To help reduce the communication gap, I wrote, The Executive’s Cybersecurity Advisor. It provides business leaders with basic information about Cybersecurity, allowing them to communicate with any Information Security leader. Business leaders can use the Advisor to become active participants in the decisions that shape their organization’s cyber defenses 

- Mike Gable, The Cybersecurity Advisor, September 2021