This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on communication.
One of the biggest challenges in raising the criticality of cybersecurity to executives and the Board is telling the story right. It is easy to go down a rabbit hole of technical talk about unpatched servers. However, while interesting to practitioners, it is not going to help in gaining the support and necessary resources needed to address cybersecurity risks if those risks can’t be articulated in concise and easy to understand language.
In Telling Fairy Tales to the Board: Turn Attack Graphs into Business Stories, Andy Ellis and Oren Sade of Orca Security opened their session telling the story of Little Red Riding Hood and interpreting the well-known fairy tale into a story about a cyber attack map. While not meant to be literal, the point was to show that stories must be adapted to the audience. Ellis noted, “Anytime you walk into a conversation with an executive, you have to assume they know absolutely nothing about what you are talking about.”
People latch on to buzzwords. When you start conversations using those buzzwords, people will form their own mental picture of what you are trying to say based on their limited knowledge. Ellis continued, “You’ll end up in a rathole conversation that has nothing to do with what you care about. If I came in and said we need to patch our software across our company because we had an Apache Commons server that was compromised, they’re going to say why don’t you just fix the Apache Commons server and avoid disrupting the whole business.” The point: Use the smallest argument possible to spur action.
Ellis and Sade proposed a simple template to use when communicating with executives that has three core components: Unacceptable Loss, Hazard and Initiative. Using examples from unpatched machines to malware, Sade went into technical detail about each type of threat. Ellis noted that while most CISOs will understand the details (and as a former CISO himself), “This is not how I am going to talk about it to my peer executives.”
The approach laid out by Ellis and Sade was echoed in the session, What 40 CEOs Told Us About Building Cyber Resilience, by Rashmi Chatterjee, CEO of ISTARI, and Dr. Manual Hepfer, Head of Cybersecurity Research at ISTARI and a Research Affiliate at Oxford University. Chatterjee and Hepfer spoke with 37 CEOs at large enterprises across the globe that had an average annual revenue of $12 billion and 40,000 employees. Among the CEOs they spoke with, 25% had direct experience handling a cyber attack that impacted their organization.
In setting out on the research project, Chatterjee noted that once CEOs were informed they would be talking about cybersecurity, the first instinct for most was to ask their CISOs to be in the room. There was clearly discomfort and hesitation among most executives at first. Chatterjee said, “Cybersecurity for some reason they associate with technology, lots of tools and lots of products,” many of which they don’t understand. But once the conversation turned to building a resilient organization, the uncertainty dissipated.
Dr. Hepfer revealed one of the major findings early on in the research, “CEOs are more interested in building resilience than in engaging in cybersecurity.” In comparing CEOs who had been through an attack versus those who had not experienced one, two observations were made: how CEOs think about cybersecurity and how they act on it. From this, four CEO mindsets emerged.
One of those common mindsets was focused on adapting communication styles to regulate stakeholder pressure. CEOs want to be informed, however, nearly three out of four did not feel comfortable making decisions on business problems related to cybersecurity. Dr Hepfer stated, “What we discovered then was that CEOs can use that stakeholder pressure in a meaningful way by changing and adapting their communication style.”
Cybersecurity stakes are high. The ability to communicate the right information to the right people in the right way is foundational to ensuring resilience after a cyberattack. One CEO quoted in the research summed up the consequences in the simplest terms possible, “Before the attack, it was completely impossible to think that anything could put us out of business.”