If you haven’t already, then at some point you’ll need to have “the talk” with the business.
Introducing cyber security risk management to non-technical executives can be difficult, awkward and excruciatingly tiring. Unfortunately… the number one and arguably most important thing missing from most corporate cyber security risk management programs is senior leadership’s approval.
But quite often, as soon as you mention technology, security or risk, most executives either tune out or make excuses as to why it’s not a strategic discussion and should therefore be left to IT to handle.
Like any difficult subject, it’s best to ease them into the discussion and make iterative gains rather than try a full- frontal, tech-jargon assault and have it fail miserably.
Here are some ideas to help make “the talk” go a little easier for both sides…
Starting the cyber security risk management discussion with the CIA Triad
One of the best ways to start is by introducing the concept of the CIA Triad. Sometimes it is referred to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central Intelligence Agency. However, I’ve always found that telling non-technical folks that you’re going to start with something involving the “CIA” gets them interested and attentive — at least for a few minutes.
What is the CIA Triad?
Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization.
It’s basically a triangle comprised of three security priorities:
For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. To ensure confidentiality, an organization can use methods such as encryption, access control measures, strict authentication procedures and user-security awareness and privacy training.
Integrity is the ability to ensure that data is accurate and is an unchanged representation of the original secure information.
This includes preventing unauthorized individuals from making modifications, preventing authorized individuals from making unauthorized modifications (intentionally or simply typos, etc.), and generally maintaining that data is valid, consistent, and verifiable.
Availability ensures data is readily accessible to the authorized viewer at all times. This includes not only making applications accessible, but also ensuring the supporting infrastructure – such as networks, servers and databases – is functional.
Availability depends on both integrity and confidentiality. Without integrity and confidentiality, availability cannot be maintained
Why the CIA Triad is a great place to start
Prioritizing the organization’s security needs is a great way to open the cyber security risk management discussion, as not only is it the foundation for all security efforts, but it also aligns the strategic priorities of the business to security needs. It’s an important conversation to have and a great place to start.
The CIA Triad is a simple security model that was developed not to be a complete cyber security framework, but to help people think about and prioritize important aspects of IT security.
Its’ three key principles should be guaranteed in any kind of secure system and are applicable across all industries as well as for the whole subject of cyber security risk management.
Prioritizing availability, integrity and confidentiality
Starting the process of cyber security risk management by defining these key concepts is not only a “teachable” moment; it’s also an opportunity to introduce the hard realities of trade-offs, balance and the need for prioritization when it comes to cyber security risk management.
For example, military and government agencies would likely prioritize confidentiality above integrity and availability. Confidentiality which focuses on preventing sensitive information from reaching the wrong people while making sure that the right people can in fact get access to it, is likely more important than inconveniencing users.However, during an emergency, full and unrestricted access to information may be the key to saving lives.
In comparison, a bank would have a much greater challenge balancing availability, which equates to ensuring systems are up and running as they should be to ensure overall customer satisfaction, with its obligation to ensure integrity. Availability is tied directly to profitability, while integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle.
A hospital, however, may face the challenge of balancing the priority of availability, which ensures systems are always accessible to provide patient care and ensure patient safety, with their regulatory compliance needs to provide confidentiality.
As you can see, a simple three-sided triangle can trigger some deep and complex discussions about what is most important to the organization and how best to prioritize securing it.
Cyber security risk management is really about making tough choices
While there are only three choices in the CIA Triad, prioritizing them in a way that meets the business and security requirements of an organization is certainly not going to be an easy exercise. And that’s the whole point of this. Approaching the discussion in this way forces those hard conversations to happen and tough decisions to be explored, studied, examined, challenged and vetted at a very high level.
Focusing on just prioritizing these three high-level concepts facilitates discussion as it abstracts the “technology” for non-technical executives, while keeping the scope wide and strategic enough to really get to the heart of what matters most to the organization.
And frankly, this is the sort of thing the executives get paid the big bucks to do. Most executives are familiar with prioritizing the trade offs between doing things fast, cheap and good. So employing a similar triangular paradigm helps accelerate the discussion.
Why this approach works
Knowing the priorities of leadership at the highest level helps security professionals guide the creation of security programs, policies and posture for the organization that is fully aligned with the business strategy.
Often, getting started with this discussion and establishing these priorities is a challenge. However, defining the elements of cyber security risk that are most important to the organization is essential. And once this is complete, it provides the strategic guidance security teams need, and can be replicated from initial concept through ??
So, do you know the priority your organization places on each of the components of the CIA Triad? If not, do yourself a favour and find out.