How to Talk about Cybersecurity in your Organization

There have been several significant and devastating security breaches reported recently by institutions that play a significant role in areas such as consumer credit reporting, the regulation of business and commerce, and even a leading provider of cybersecurity professional services. These disclosures have led to much reporting and online discussions of not only the cause(s) of the compromises, but how such highly visible (and targeted) enterprises could have allowed such incidents to occur, taken so long to detect, and ultimately taken so long to report publicly.

Asking the Right Questions

Organizations large and small are asking the usual questions: “Could this happen to us?” and “Are we vulnerable to and have we fixed this vulnerability?” They are also likely asking some fundamental questions about their cybersecurity programs in general: “Do we have the right people with the right skills?”, “Do we have the right solutions in place?”, “Are we doing enough?”, or “Are we secure?”

Perhaps the most depressing and disturbing question that is being asked is “look at the companies that were breached, if it can happen to them what chance do we have of avoiding a similar incident?”

Making the Case for Cybersecurity

Virtually all the major incidents over the past five years have revealed that each organization did not embrace the importance of cybersecurity to the health and prosperity of the company, and therefore did not take the appropriate steps to build a culture of cybersecurity appropriate to the overall mission or goal of the company. As details emerge about these recent compromises, it is highly likely that these companies too will reveal the lack of the proper approach to cybersecurity in their organization.

Knowledge is Key

There are many reasons why cybersecurity programs are continuing to fail so many organizations. These reasons, which usually revolve around a lack of funding, lack of resources, or a lack of dedicated and trained individuals can generally be described as symptoms of a “root cause” lack of understanding of how cybersecurity truly works, and how to implement it properly in the organization. 

Understanding the overall needs for a cybersecurity program also might include the following:

  1. The reasons why cybersecurity efforts fail within organizations, such as:
    • Lack of corporate commitment to cybersecurity;
    • Lack of resources (people, money, time);
    • Attitudes (this will never happen to us);
    • Organizational structure – too many “silos” with little cooperation.
  2. The motivations of the attackers (why they would target your organization)
  3. The threat is real (just look at the Equifax data breach, the SEC, or Deloitte)

There is also a need to dispel some of the significant myths and misunderstandings when it comes to cybersecurity. These include things like:

  • Technology solutions alone will make you secure;
  • Taking a bare-minimum approach to regulatory/security compliance requirements are sufficient;
  • Security is a state you achieve (e.g. there is no such thing as “we’re secure”);
  • We implemented a security solution here, so we are secure (aka “set it and forget it”)

The Message

A complete understanding of cybersecurity must be taught to every employee of every organization and must be explained in a manner that helps everyone understand their roles and responsibilities. There is ultimately a need to create a culture of cybersecurity in the organization. A culture of cybersecurity means that everyone understands the overall goals of cybersecurity – whether it is to protect company secrets, customer data, research data, or even the reputation of the company itself. By gaining this understanding, each employee must be trained on their job functions and follow some set of rules or procedures that enable them to do their work within a boundary of cybersecurity. That is, they understand the significance of things they do or don’t do and how their actions impact the cybersecurity of the organization.

The need for continuing education and training for cybersecurity and technology professionals is well understood by most organizations. Many certification programs require ongoing training and/or continuing education to maintain the certification. Education and training funding or reimbursement are often part of an employee’s compensation package.

But what type of training and continuing education does your boss receive? Or his boss? Or your executive management? Who is teaching cybersecurity up the ranks in your organization? Who is responsible for reporting on the status of your cybersecurity efforts to your executive management?

Maybe it’s you.

The Delivery

There are several techniques for more effective communications that you can practice in order to improve your chances of helping your management understand the needs of your cybersecurity program, make the right investments in personnel, training, and technology, and hopefully will motivate them to become better educated themselves on the overall strategy of cybersecurity.

Cybersecurity is a moving target because the technology involved is changing so quickly. There is a continuous and ongoing need for training on the latest technologies, trends, and cybersecurity solutions. But there is also a need for more management and executives to gain a deeper understanding of the strategic goals of cybersecurity and how to apply them most efficiently to their organization.

This is the proverbial “10,000-foot view.” Check out the full paper, “How to Talk about Cybersecurity in your Organization” for more information on the techniques for effective communication.

About the Author

Jeff Man -

Jeff Man

Jeff Man is a respected Information Security expert, advisor, evangelist, mentor, and co-host on Paul's Security Weekly. Over 34 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty years, has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies.

More Posts by Jeff Man