Risques liés à la & confidentialité
Cybersecurity Compass: Bridging the Communication Gap
Discover how to use the Cybersecurity Compass to foster effective conversations about cybersecurity strategy between non-technical and technical audiences, focusing on the phases of before, during, and after a breach.
The Importance of Listening and a Common Language
One of the biggest challenges in cybersecurity is bridging the communication gap between technical and non-technical stakeholders. Having a common language in cybersecurity is crucial. Technical experts often discuss cybersecurity in terms of threats, vulnerabilities, and technical solutions, which can be overwhelming for non-technical leaders. On the other hand, non-technical executives may focus on business impacts, compliance, and financial risks.
In this article, we are going to discuss how the Cybersecurity Compass provides a common framework that aligns these perspectives, ensuring a unified approach to cybersecurity strategy. For that purpose, we are going to explore the internal mechanism of the Cybersecurity Compass. Starting with the Cybersecurity Compass, we will guide our discussions and strategy development by focusing on the three phases: before, during, and after a breach. This approach ensures that every aspect of cybersecurity management is addressed comprehensively, from proactive measures to reactive responses and continuous improvement mapping those to people, process, technology and leadership.
Cybersecurity is the responsibility of everyone in an organization, not just the IT department. Cyber risk should be considered a business risk, not only a technological one. This means that leaders at all levels must be involved in the conversation. Effective leadership is crucial in establishing a culture of security and ensuring that cybersecurity strategies are integrated into overall business operations.
Before starting with the method and how to use the Cybersecurity Compass, I’d like to bring your attention to a topic that I’ve encountered many times while participating in and coaching this kind of conversations: the importance of listening.
Effective communication is a two-way street, especially when bridging the gap between technical and non-technical audiences. Listening plays a crucial role in ensuring that both sides understand each other’s perspectives and collaborate effectively on cybersecurity strategies. As Otto Scharmer outlines in his work on Theory U, there are different levels of listening that can transform the quality of our interactions and outcomes.
Listening is one of the most underrated leadership skills. Great leaders understand that listening is not just about hearing words but about understanding the underlying messages and emotions. By practicing active listening, leaders can foster a more inclusive and dynamic environment that promotes innovation and resilience.
When technical experts and non-technical leaders engage in discussions about cybersecurity, it’s essential that both parties feel heard. Technical teams need to listen to the concerns and priorities of business leaders to align security measures with business objectives. Conversely, non-technical stakeholders must understand the technical constraints and necessities to appreciate the complexities involved in safeguarding the organization.
Listening encourages collaboration by ensuring that all voices are heard and valued. This inclusive approach leads to more comprehensive and effective cybersecurity strategies. When teams collaborate effectively, they can leverage diverse perspectives and expertise to anticipate and address potential threats more proactively.
Active listening helps build trust between technical and non-technical teams. When non-technical leaders feel that their concerns are acknowledged and addressed, they are more likely to support and invest in cybersecurity initiatives. Technical teams, on the other hand, gain credibility and cooperation when they demonstrate that they understand and prioritize business needs.
Common Biases, Assumptions, and Mental Models
Based on my experience, another challenge I’ve found is recognizing and addressing biases, assumptions, and mental models, which is crucial for effective communication between technical and non-technical audiences. Here are some common ones:
Technical Audiences:
- Bias for Complexity: Assuming that more complex solutions are always better.
- Jargon Assumption: Using technical jargon and assuming it’s understood by everyone.
- Problem-Solving Bias: Focusing on technical solutions without considering business impacts.
- Isolation Assumption: Believing that cybersecurity is solely an IT issue, not a business-wide concern.
Non-Technical Audiences:
- Oversimplification Bias: Underestimating the complexity of cybersecurity issues.
- Cost Aversion: Viewing cybersecurity primarily as a cost center rather than an essential investment.
- Overconfidence Bias: Assuming that existing security measures are sufficient without understanding potential vulnerabilities.
- Delegation Assumption: Believing that cybersecurity can be fully delegated to IT without active engagement from other departments.
- Business Context Bias: Assuming technical teams lack business context and only focus on technical aspects.
How to Use the Cybersecurity Compass
Now that we understand the importance of listening, recognizing biases, and understanding different mental models in both technical and non-technical audiences, we are ready to start using the Cybersecurity Compass.
The Cybersecurity Compass was designed with the objective of creating a common language for cybersecurity. The most basic concept of the framework is to unify the criteria that in cybersecurity, we need to remain vigilant and always assume a breach. This means always thinking in terms of before a breach, during a breach, and after a breach. For each of these constant states, we need to consider the people, process, and technology that support our efforts. To unify these elements, we need to have common questions guiding our discussions.
Starting with the Cybersecurity Compass, we will guide our discussions and strategy development by focusing on the three phases: before, during, and after a breach. This approach ensures that every aspect of cybersecurity management is addressed comprehensively, from proactive measures to reactive responses and continuous improvement. For this purpose, we are going to explore the internal mechanism of the Cybersecurity Compass.
Before a Breach: Proactive and Predictive Cyber Risk Management
Proactive measures are essential before a cyber incident occurs. This phase emphasizes the importance of understanding that “It’s not a matter of if a breach is going to happen, but when.” The conversation should begin with key questions that guide the strategy:
People: Who should be involved?
- Who are the key people in our cybersecurity plan?
- How are we training our employees to recognize and respond to cyber threats
- What roles and responsibilities are defined for cybersecurity within our organization?
- Who is checking our cyber risk every day?
Process: How should it be done?
- How are we finding and addressing cyber risks?
- How often are we checking for cyber risks?
- What steps are in place for keeping our systems updated?
- How are we keeping our digital asset inventory updated, contextualized, and valued constantly?
- How are we keeping track of our cyber risk, and how often do we measure it?
- What is our current level of cyber risk, and how does it compare with other companies in our industry?
- How are we managing our cyber risk, and what plan do we follow to manage it over time?
- How are we providing business impact and context to calculate our cyber risk?
- How we are calculating cyber risks across all of our digital assets?
Technology: What tools and technologies do we need?
- What tools are we using to monitor our cyber risk?
- What tools are we using to gather information on threats and monitor our systems?
- How are we making sure that our technology is secure?
During a Breach: Reactive and Defensive Detection and Response
During a cyber incident, detection and response are crucial. The conversation should focus on how quickly and effectively the organization can detect and respond to a breach. Key questions to guide this phase include:
People: Who should be involved?
- Who is on our incident response team?
- How are we communicating with stakeholders during an incident?
- Do we have a clear chain of command for incident response?
Process: How should it be done?
- What is our incident response plan?
- How are we detecting and analyzing suspicious activity in real-time?
- How we are detecting and responding across all of our digital assets?
- What are our protocols for isolating affected systems?
- What are our mean time to detect (MTTD) and mean time to respond (MTTR)?
Technology: What tools and technologies do we need?
- What monitoring tools are we using to detect breaches?
- How are we ensuring that our incident response tools are effective?
- Are our systems capable of providing real-time alerts for potential breaches?
After a Breach: Recover and Improve for Cyber Resilience
After a breach, the focus shifts to recovery and continuous improvement. The conversation should address how the organization will recover and what lessons can be learned to enhance future resilience. Key questions for this phase include:
People: Who should be involved?
- Who is responsible for leading the recovery efforts?
- How are we supporting affected employees and stakeholders?
- What training or awareness programs are needed post-incident?
Process: How should it be done?
- What steps are we taking to recover from the breach?
- How are we conducting post-incident analysis?
- What improvements can be made to our processes based on what we learned?
Technology: What tools and technologies do we need?
- What tools are we using to restore systems and data?
- How are we updating our technology to prevent future breaches?
- Are our backup and recovery solutions effective?
Challenging Our Assumptions
To effectively use the Cybersecurity Compass, it’s crucial to challenge our assumptions continuously. This ensures that our strategies remain robust and adaptive to evolving threats. Here are general questions to help challenge our thinking regarding people, processes, and technology:
People:
- Are we involving all the necessary stakeholders in our cybersecurity planning and response efforts?
- Are our training programs up-to-date and addressing the latest threats?
- Is our incident response team empowered to act quickly and effectively?
- Are the appropriate people leading and supporting our recovery efforts?
- Who else should be involved in our cybersecurity strategy?
- Are we retaining our cybersecurity talent effectively?
- How are we ensuring continuous training and development for our cybersecurity team?
- Are there any challenges we haven’t considered that could affect our people?
Process:
- Are our risk assessment and management processes effective and regularly tested?
- How well do our processes align with industry best practices?
- Are our incident response plans regularly tested and updated?
- Do we have effective protocols for detection and isolation of threats?
- Are we conducting thorough post-incident analyses and implementing improvements?
- How regularly do we update our recovery plans based on lessons learned?
- How often do we test our processes?
- Can we do something to be more proactive and predictive in managing cyber risks?
- Are there any challenges we haven’t considered that could affect our processes?
Technology:
- Are we using the best available tools for threat detection and monitoring?
- How frequently do we evaluate and update our security technologies?
- Are our monitoring tools effective and providing timely alerts?
- Are our incident response tools capable of mitigating damage efficiently?
- Are our recovery tools and backup solutions effective and reliable?
- How are we updating our technology to prevent future breaches?
- Are we using the right technologies?
- Are we consolidating our technologies to improve efficiency and reduce complexity?
- Are we eliminating silos to ensure better integration and communication across our technology platforms?
- Are there any challenges we haven’t considered that could affect our technology?
This is just the beginning…
The Cybersecurity Compass is a powerful tool for bridging the gap between technical and non-technical audiences in cybersecurity strategy discussions. By focusing on the phases of before, during, and after a breach, and addressing key questions related to people, process, and technology, organizations can ensure a comprehensive approach to cyber risk management. Embracing the mindset that a breach is inevitable and preparing accordingly can significantly enhance an organization’s resilience against cyber threats. By integrating the Cybersecurity Compass into their strategies, organizations can navigate the complexities of cyber risk management with confidence and effectiveness, ensuring alignment and understanding across all stakeholders. Remember, cybersecurity is everyone’s responsibility, and effective leadership is key to creating a culture of security.
To read the full-length blog, click here. Explore more Cybersecurity Compass insights here.