Given that few industries are shielded from the competing forces of innovation and risk, it’s clear that organisations need to closer examine where some of these problems stem from so they can take better steps to prevent them.
It’s easy to think that cybersecurity is mostly a technology issue, but really, are businesses doing enough to uphold a good risk management culture? And how far could better comms, both internally and externally, make a difference?
As it's a subject that continues to fascinate me, I asked a handful of cyber experts to join me on stage at Cloud & Cybersecurity Expo recently to explore the topic and the discussion was revealing.
Working in comms, we know that a lack of succinct and informed communication can be a reputational dealbreaker.
With cybersecurity, of course the technology that any company uses needs to be up to date and as watertight as it possibly can be but given that so many companies fail badly at handling negative events when they do occur, there is clearly an ingrained disconnect in the way companies approach the subject.
There’s a certain elusiveness around cybersecurity and what it really encompasses, which makes it challenging for people to truly understand, especially outside of their specific organisation or department.
In addition, there is this exaggerated, romanticised portrayal of cyber threats - the faceless hacker or hostile nation - that puts the emphasis on the attacker and not the target, which creates a focus on prevention rather than embracing negative outcomes head on when they do happen. Until cybersecurity is treated like any other business risk that requires an established framework for dealing with hacks that’s created in advance, it will continue to be approached with fear and trepidation.
Simply put, large organisations need to know that it's likely they will be hacked at some point and therefore taking the front foot on threat mitigation and not kicking the can down the road is vital. Communicating reaction plans with consistency relies on a strong internal rapport. This is paramount for mitigating cyber risks before they happen.
Complex technical jargon and the abstract nature of cyber risks can hinder effective communication and decision-making at the c-suite level.
This means that often there is a disconnect between those responsible for cybersecurity and the rest of the organisation, leading to misunderstandings and inadequate risk management as well as insufficient support for cybersecurity measures when crises arise.
CIOs/CISOs and the rest of the c-suite often face conflicting priorities between the imperative for rapid innovation and the need to maintain strong cyber defences. Balancing these priorities requires a consistent understanding of risk management and ultimately an effective flow of communication between cybersecurity teams and business leaders.
You could have the best cyber team in the world, but if they aren’t listened to then that’s a problem.
In the event of a cybersecurity breach, there can be a tendency within the c-suite to assign blame rather than taking collective responsibility for addressing systemic issues. This blame culture can both undermine trust and limit collaboration, making these critical conversations evermore challenging. It’s telling that the average tenure of a Chief Information Security Officer sits between 18 to 24 months.
Overcoming this disconnect requires a cultural shift to prioritise cybersecurity as a core business priority rather than just a technical issue, which involves promoting cyber awareness at every level.
It's crucial to cultivate allies at various levels to fostering crucial engagement channels.
Communications leaders can play a transformative role in this process, acting as conduits between the board, CISOs, and cyber teams. They can help translate technical jargon into actionable insights and use their social skills to mediate disagreement to help create a meaningful dialogue between decision-makers.
When it comes down to it, it’s in the best interest of those responsible for both internal and external comms to make cyber threat preparedness a success as they will be the ones working weekends in the event of a hack!
To heal cybersecurity’s communication problem, there must be a culture of openness and realism across organisations.
When cyber practices are seamlessly integrated into enterprise risk management, it fosters a culture of shared responsibility where everyone understands their role in mitigating risk and protecting the organisation's assets.
Incident response plans should outline clear procedures for detecting, responding to, and recovering from cybersecurity incidents with define roles and responsibilities for key stakeholders, including IT teams, communications personnel, legal counsel, and senior management.
Generally, most directors are conscious of risk, so when cyber is communicated to be relatable and personal to them, they will make it a priority on the boardroom agenda.
Without proactive measures, cyber’s communication problem will only worsen. By normalising threat mitigation as a process which everyone can put their hand on, risk can not only be understood, but efficiently managed across the entire business and effective comms has a vital role to play.
Article written by Amy McRitchie, Associate Director, Head of Client Excellence, PAN Communications