However, rather than this being the fault of businesses, there’s a growing view that responsibility lies largely with the cybersecurity industry. More specifically, in how it talks to businesses about their digital lines of defence.
The Language Barrier Problem
For those unfamiliar with the intricacies of cybersecurity, the language surrounding it can seem foreign. Packed with abbreviations and terms such as managed detection response, endpoints, vulnerability, and scanning, non-technical business leaders are often inadvertently shut out of conversations that directly affect them.
As a result, cybersecurity becomes viewed as something business leaders know they need to have, but with a brittle understanding of what a strong defence looks like, and, why it is so critical to business integrity. Indeed, a common perspective is that investment in cybersecurity is similar to car or home insurance. Businesses pay for it, but are only glad they did when the worst happens.
It’s an issue compounded by the fact that the UK (unlike the US) has no legislation in place that mandates businesses to demonstrate a minimum level of protection. Such legislation would compel businesses to take a more proactive approach to understanding their own cybersecurity and where any gaps exist. With more businesses taking cybersecurity seriously, security providers would then be prompted to communicate their propositions in more understandable terms.
The Need to Make Language Relatable
Until cybersecurity legislation becomes a reality, businesses must be encouraged to think of cyber-crime in terms of what it is – a crime. One that leaves real victims.
At present, many businesses invest in solutions that they believe to be effective but are never used to their fullest extent. For example, leading solutions provide reports that might show the business was defended from 50 ransomware attacks in a month, or that a specific device is suffering weekly attacks. These essential analytics and reporting data is at their fingertips, but rarely, if ever, used.
Consequently believing their security solution does not merit its cost, these businesses will often switch to cheaper alternatives, saving money in the short-term, but multiplying the risks they expose themselves to.
It is thus incumbent on cybersecurity providers to tailor their language depending on who they’re speaking to. A conversation with a CISO must be markedly different to a conversation had with a Managing Director. Where the former will want to know the technical specifics, the latter will be more interested in cost and what the solution does in the most straightforward terms.
Though there might be an IT expert on a decision-making panel, care must be put into making a new solution resonate with other C-suite executives – of what it means in their world.
For example, when addressing an MD, a solution could be framed as being the difference between the business grinding to a halt or damage to brand reputation should a certain breach occurs. CFOs, by contrast, may be more interested in the financial implications of an attack.
Furthermore, almost all private equity companies are now insisting on appropriate levels of cyber protection being in place ahead of investment. A robust cybersecurity posture is now an indicator of maturity, highlighting solid foundations around an organisation’s approach to risk alongside an appetite to innovate.
The secret is to find ways of articulating lines of reasoning across a number of levels. Here, CISOs can play a vital role.
As CISOs need to report on the cyber security element in board meetings, they have an opportunity to catalogue the various attacks a solution has prevented with descriptions of what it could have meant for the business had the attacks not been thwarted. Moreover, that cyber-crime is a fast-moving animal that will never disappear, only evolve. Three years ago, phishing emails were uncommon. Now they’re everywhere.
The Insurance Predicament
Although there is no legal requirement to have adequate cybersecurity in place, there is a requirement that businesses are equipped with cyber insurance.
Much like with home insurance, for a business to acquire adequate cover, they need to be able demonstrate sufficient security measures. Given the scale of claims that are processed as a direct result of cyber-attacks, business insurers are increasingly demanding evidence of a range of cybersecurity defences before issuing the most robust policies.
Though weaker policies might be available when only limited cybersecurity is in place, businesses then find themselves in the predicament of remaining exposed to multiple attacks with no third party ready to pay out in the event of a certain types of incidents. Effectively, in order to shave some initial money from cybersecurity costs, businesses end up handing over the difference to insurance companies who won’t be there in their hour of need.
Ultimately, it would seem that the gaps in robust cybersecurity across the business world can be partially filled simply by reframing the language around it. By making it understandable and relatable to each stakeholder. To achieve this, it is not for business leaders to step up, it is for the cybersecurity providers.
Why Vaioni for cybersecurity?
If you’re assessing your cybersecurity posture or navigating the solutions and detection technology available to support your business, working with Gartner Magic Quadrant security leaders, Vaioni’s expanding portfolio and rich resource hub have been designed specifically for you.
From whitepapers and videos, through to infographics and on-demand webinars, we’ve developed a repository of guidance and insights designed to help you and your business make the most informed decisions.
Visit www.vaioni.com/cybersecurity-resources or contact one of our cybersecurity experts for more information.