When it comes to CISO and board communications, Fear, Uncertainty and Doubt (FUD) remains overused as a way to create immediate alignment. Fear mongering may work to meet a short-term goal, but in order to prevail over unknown and unpredictable threats, CISOs and security leaders need to inspire confidence – not panic.
Educating senior executives on the importance of adopting a security mindest is essential. And when conversations stall between CISOs and the board, security leaders start talking about what they need from the board to ensure their company does not become the next Equifax, Target, etc. and fall victim to a massive breach. Rather than connect with or educate the board, some use news stories about major hacks to scare them into getting what they want. I understand why – some attacks, or advanced persistent threats (APTs), are stealthy, and well-known defenses are glaringly ineffective at discovering them. Forget about preventing them – we’re still working on finding them. Plus, most private sector practitioners are inexperienced in dealing with such sophisticated adversaries. Oftentimes, the hacking groups behind high-profile mega breaches are more organized, better funded, better staffed and more experienced than the security teams of their targets.
Currently, few organizations are equipped to deal with APTs in a meaningful way. While the situation is far from hopeless, the investment in people, process and technology needed to adapt is massive, and articulating it in layman’s terms is way easier said than done. So why not play on fear? Fear creates a very real and intense emotional reaction. After all, there’s nothing like a common enemy to create unity where there is none.
But common ground does not equal trust. And a healthy fear of an unknown threat is not the same thing as hysteria. FUD quickly diminishes into skepticism and in some cases, contempt. So, while it is easy enough to understand and justify the use of FUD to (for example) push an unbudgeted expense through, its inherent volatility makes it a poor choice of currency for risk mitigators. And, selling FUD is an industry-wide problem. It’s on the entire security community to change the dynamic – not just CISOs.
The challenges that CISOs face when dealing with their boards – communication obstacles, board inertia, staffing shortages and issues managing technology – are legitimate roadblocks, but are by no means insurmountable. While communication is one of the key issues, the way I see it, it’s the root cause. Improve communications, and everything else improves. We need to learn how to be better communicators – the sooner the better. And how we communicate about attacks up the food chain will be the ultimate indicator of how well we’re doing.
There is a wealth of free resources available for improving communications. Find an approach that works for you and then practice – a lot. Being an effective communicator is an extremely useful and transferable skill – it will be well worth the time to develop your communication skills.
Here's some advice if you have to communicate up the food chain about complex and sensitive matters:
CISOs have had an extremely accelerated evolutionary path. Those who are thriving possess natural leadership skills. But what they do with those skills will set the stage for the future of our profession. Historically, some very powerful and effective leaders chose to lead through FUD. It’s definitely an option, but is it the one that best serves your company?