It was interesting to see a recent piece in Computer Weekly headlined “Businesses failing to see strategic value of cyber security“. You can read the stats for yourself, but it’s striking that 90% of respondents said that other departments didn’t understand what they are doing and 88% thought they could improve their communication with executive management.
Is this a business issue or a communication one? It’s both.
Cybersecurity breaches will inevitably have a business impact, but more than that, executives are potentially personally liable if things go wrong. In same way that they monitor finances or social media coverage, they need to monitor cybersecurity.
Computer weekly’s survey respondents would certainly benefit from providing regular, digestible reports of progress. Not just “we didn’t have a breach” or more honestly “we didn’t detect a breach”. One trick I learned in my corporate life was to print out a nice simple colourful graph of progress and pin it to the noticeboard closest to the exec suite. Far more effective in getting attention than endless emails or easily filed reports.
Timing of reporting is an interesting consideration too. Any report that is not real time is out of date. As I write I can be pretty certain I didn’t die yesterday, I’m much more interested in weather I’ll fall seriously ill tomorrow. It’s the same with cybersecurity. We didn’t get beached yesterday, so let’s get the protection in place and monitor that it, and the employees are doing their job correctly to avoid issues tomorrow.
That’s why ThreatAware has a simple executive style dashboard, with red, amber, green alerts covering both active and operational checks. Easy to understand, close to real time and easy to interrogate when you need detail. If the respondents to the Computer Weekly survey hung a monitor with the ThreatAware dashboard at the door to the executive suite, I’m pretty sure their complaints would quickly go away.
It’s better for the executives too, the management cliché “Get what you inspect not what you expect” is as true for cybersecurity as any other area of business.