The conflicting messages Security Professionals give Business Leaders
It’s not if you’ll get hacked, it’s when. This is a statement every security professional has probably heard. In fact, most of us have probably used it at one time or another. A slightly different version is, if a hacker wants to get it badly enough, they will and you can’t stop them. While these statements may be true, they are not helpful. Worse yet, they setup a form of paradox among security professionals. We tell leaders they can’t do anything to protect themselves but then shame them when they do nothing.
Why say these things?
The origins and intents of these types of statement are most often genuine. Usually they’re used to convey the notion that being 100% hack-proof is unrealistic. Furthermore, they set the expectation that security is a continuous process not a destination or goal. While the sentiments are accurate but poorly communicated.
In some cases, however, these statements of hopelessness sound like an attempt to convey superiority. Their context seems to say, I know more about these attackers than you and you’re foolish to think we can stop them. Ultimately, the tone is counter productive and prevents us from inspiring the actions we want to see.
Shaming Inaction
Things get worse when, after telling leaders there is no hope, cyber security specialists turn around and shame them for not taking action. A breach occurs. The security folks point fingers at all the security initiatives that didn’t happen due to business decisions. Yet the blame game isn’t fair. Those fingers should be pointed at the ones who said there was no hope.
Consider this. When someone you count on for their expertise says a task simply can’t be done, how motivated do you feel? Will you spend time trying to accomplish something you have little passion for when the expert says there’s no hope? This is the scenario we as security professionals create when we share these messages of hopelessness. Basically, we’ve told them to just accept what is and move on. So how can we expect that they would do anything we ask?
Communicating better
When we talk to business leaders about security, we have to arm them with decision making criteria. We need to help them see that the course of action we’re recommending has tangible benefits. That doesn’t mean over-promising the impact of a new control or solution. Instead, we just need to help quantify the risks and the reduction of risk that will result. Give them some hope that if they do this thing, it will reduce the likelihood or impact of a compromise.
Of course quantifying risk makes most security folks shudder. It is hard to do and harder to do well. However, it’s not impossible. Focus on numbers. How many user accounts will no longer have static passwords with the new multi-factor solution? How many functional systems will be isolated to their own segment with that micro-segmentation proposal? Use those numbers to develop metrics. Will revenue generating systems be more secure? Well how much revenue are you helping protect?
The case being made doesn’t have to include complex formulas that create objective risk scores. Rather, we just need to provide tangible context of how much more secure will we be tomorrow over today? It sounds silly to say but ultimately that’s the decision business leaders are asked to make. We’re asking them to make a cost-benefit based decision in their heads. Make it easy for them.
When you give someone credible hope that their actions can be successful, they become motivated. Know what successful means and coach them if you have to. Success in security strategy is not becoming unhackable, we know that. It’s achieving continuous improvement over time. Stop spreading doom-and-gloom and wondering why they don’t take action. Use positive messaging to inspire action and get the results you want.
Leave a Reply