With cyber on execs’ minds, CISOs need ‘101’ communication skills

Sponsored by

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

When it comes to cybersecurity, it’s not just about countering threats—you have to know how to convey the seriousness of those threats, too.

For CISOs tasked with explaining their company’s security posture to CEOs and other executives and staff, it’s important to communicate at a “101” level, Sameer Ansari, global CISO solutions leader at global consulting firm Protiviti, told IT Brew.

“We can’t assume that our audience understands and has the same level of expertise that we do,” Ansari said.

Protiviti, in its global annual survey of over 1,500 executives and board members, found that “cyber threats” ranked as both a top risk and investment priority, beating out the need to upskill for emerging technologies, legacy IT, and more.

“With the increased adoption of new technology, especially around AI, I think that’s putting a lot of pressure on a lot of cybersecurity fundamentals, as well as the reliance that you’re going to have on third parties to run your business,” Ansari said.

The need for cybersecurity is also building momentum among corporate stakeholders: The previous year’s report revealed the top risk was economic conditions, followed by cybersecurity, upskilling, talent availability, and increases in labor costs. “Addressing evolving cybersecurity threats must be treated as a strategic imperative, with organizations needing to integrate cyber risk metrics into C-suite and boardroom performance dashboards,” Protiviti’s researchers wrote in this year’s study.

We spoke with Ansari about how an increased emphasis on cybersecurity means that CISOs need to communicate those metrics in a way that goes back to basics.

This interview has been edited for length and clarity.

Given that cybersecurity is a top risk, how can CISOs communicate cyber risk effectively to the C-suite?

Moving away from the bits and bytes and being able to tell stories: This event may occur, right? But we have these controls in place.This is the likelihood of this event occurring, and, if something does happen, this is how we will respond…versus giving a bunch of facts or a bunch of numbers, and really putting it in context so that a business professional, a C-suite person, can really understand what the impact will be.

And who would this CISO be telling the story to?

I think, ultimately, to the C-suite, the board, and perhaps with the business partners, as well…There’s a bias of expertise sometimes with cyber professionals, where we talk in ways that we assume everybody understands. But we’re talking at 301-, or 401-, or 501-level terms. We need to take it back to more simplistic 101 or 201.

What if there’s a whole board of people saying, “We want to deploy generative AI in our organization.” What's the “101” approach that an IT pro can take?

You may have somebody that’s standing up a new product or function, and they want to use an AI agent to help them with that, and they’re thinking about the whole cost of creating that product; that’s going to include an employee cost, as well. They may be creating an agent, saying, “Hey, this agent should go talk to our HR agent to talk about what the cost of an employee is.” Well, because that HR agent may have access to salary data, how are you preventing that the salary of the individual is not coming back to the individual versus the hourly cost of individuals coming back? You don’t want that person creating that product to get access to the CEO’s salary or any other business executive salary…Those are ways that I can quickly describe and have an anchor on: This is something that could go wrong very quickly if we don’t have the right controls in place.

What does this communication look like, structurally?

Ideally, I think it’s an ongoing conversation, and I think that’s incumbent upon cybersecurity professionals, IT professionals, as well as the business. There’s a dual accountability there. I think, at a minimum, there should be some forums, and maybe it’s through governance forums where that occurs, whether that’s monthly or quarterly.