“The days of talking about FUD (fear, uncertainty, doubt) are over, that immature conversation. It has to be something more complex and CISOs have to take business risks,” De Lude told CSO. “You have to be able to organize a conversation for others, talk about things they like in their language and have the right details, these are the ingredients of a good story.”
What CISOs need to consider to tell the right risk story
One of the hacks De Lude uses is to draw on relevant news stories for the audience in his dangerous conversations. It helps join the dots while demonstrating the importance of a security plan and the need to avoid being in the news. “I frame it based on what they’re concerned about, so if they’re on board, it’s product risk or regulatory risk, and I talk about the implications and what we’re doing to reduce that risk through the security system. ,” he said.
However, there are challenges in adopting the right language. The term risk is limited and can limit the conversation, according to Alexander Hughes, director of cybersecurity and compliance at Visa. To address this, he proposes to measure risk in terms of loss or damaged assets – reduced performance or value due to an attack – which is easy to understand within the context of cybersecurity. “If you can talk about risks as costs, there is more flexible language like loss of income. Therefore, if the service is attacked and does not work, that asset is downgraded or damaged, and revenue is lost,” he said.
Source link