确定网络安全沟通的差距,并找出弥合差距的方法.
With both boards and management concerned about the effect lax cybersecurity can have on a company, it is essential that both groups work together to close communication gaps on the subject and continue toward the goal of effectively protecting the organization's information assets.
常见的沟通差距
你的董事会知情吗? 沟通是双向的, and this is the starting point for many communication gaps between management and the board. 我们经常发现董事会只是不了解情况或者, 更糟糕的是, have a false sense of security because management reports focus on achievements over risk reporting. 董事会和行政领导履行职责, 我代表组织, 在投资方面作出明智的决定, 战略方向等. The risk tolerance or appetite must be established by those very same stakeholders in an effort to balance the resources and priorities at their discretion. If leadership committees lack an appreciation of w在这里 residual risk exists across the operational control footprint, they cannot fulfill their duty to navigate the organization through efforts to improve the cyber risk posture.
组织间隙. Management is naturally inclined to present positively slanted perspectives relating to their functional responsibilities and t在这里fore too often avoid the “difficult” conversation. 结果是, leadership's perspective is often distorted or filled with “blind spots” concerning the true areas of risk. 对于从事定期和一致的风险评估的组织, it is imperative that the results of those efforts be aggregated and shared with leadership. Establishing a common lexicon and structure for presenting residual risks is equally important so that the discourse between management and leadership can occur over stretches of time in alignment with a transformational maturation strategy or objectives. The board must define a common baseline understanding and revisit progress to address prioritized areas of risk. Improved trust between management and leadership can enhance the organization's efforts to appropriately focus time and resources on aligned goals and objectives. 这样做不仅能提高风险透明度,还能让领导层履行职责, but also will improve leadership's cyber IQ to ensure a greater appreciation for the significant challenge management faces in protecting the organization's critical information assets.
真正的网络安全vs. 法规遵循需求.Another common issue our team experiences is that leadership often misconstrues cybersecurity requirements as a sort of compliance checklist. 在这种情况下, the quality of controls is distorted into a binary evaluation process that can create a false sense of security that an organization is meeting its objectives. 网络安全问题要有深度和广度, and the quality and extent of how control requirements are met is a spectrum to be considered in concert with risk impact and likelihood. This is an important concept to consider when evaluating the security risk posture of the organization, but it is sometimes dismissed in favor of a pass/fail perspective when it suits the needs of leadership. While t在这里 are certain cybersecurity measures that are legally required and regulated based on industries and footprint, 这是一个起点, 不是终点线. Don't let your organization underestimate cybersecurity residual risk for the sake of achieving a passing grade on a related 法规遵循需求 assessment.
管理沟通技巧
成为专家. 记住:董事会成员和高管都有全职工作, and their cybersecurity knowledge may be limited because their only exposure is a white paper or news articles.
拥抱受教育的时刻. 教育对于理解网络风险至关重要. 如果董事会成员想了解一个简单的话题,比如网络钓鱼, 利用这个机会来讨论相关的主题和策略,以减轻风险. 如果你看到不安全的行为,把这个机会当作一个教育的机会.
不要做守门人. 通过清晰简洁地陈述风险,架起技术和非技术对话的桥梁, 考虑事项和建议.
成为他们的新闻来源. 提高对当前威胁形势的认识, communicate the constantly changing nature of cybersecurity and be candid about the risks facing your organization and steps to prevent incidents.
量化风险. 讨论什么都不做的代价,包括名誉和经济损失. Be clear that accepting the status quo is a risk and use data analytics whenever possible to help illustrate the cost associated with being unprepared.
讨论预算. Have open conversations about investments in cybersecurity and leverage benchmark comparisons w在这里 available to further illustrate the parity or disparity between your organization and your peers.