“The days of talking about FUD (fear, uncertainty, doubt) are over, that’s a low-maturity conversation. It needs to be something more sophisticated and CISOs must grasp enterprise risk,” De Lude tells CSO. “You have to be able to frame the conversation for others, speak to their interests in their language and have the right level of detail, these are the ingredients for a good story.”
What CISOs need to consider to tell the right risk story
One of the hacks De Lude uses is to draw on topical news stories relevant to the audience in her risk conversations. It helps join the dots while demonstrating the importance of the security program and the need to avoid being in the headlines. “I frame it in terms of what they’re concerned about, so if they’re on the board, it’s brand risk or regulatory risk, and I talk about the implications and what we’re doing to reduce that risk through the security program,” she says.
Even so, there are challenges in adopting the right language. The risk terminology is limited and can restrict the discussion, according to Alexander Hughes, director of cybersecurity and compliance with Visa. To address this, he suggests quantifying risk in terms of loss or degraded assets — diminished functionality or value due to attacks — which is easier to understand within a cybersecurity story. “If you can talk about risks as costs, there’s more nuanced language such as revenue loss. So, if a service is attacked and not functioning, the asset is degraded or destroyed, and revenue is lost,” he says.