In our feature interview last week, we talked about the importance of communication when selling the C-suite on risk management. This week, we talk to Carlota Sage, a virtual CISO (CISO as a Service), about more tactical approaches to use in the risk funding discussion.
You’re a proponent of IT learning the business rather than the business learning the tech.
Sage: It’s easier for IT to understand the business than it is for business to understand the technology. You’re securing organizations that sometimes have very little technology or they have a lot of technology, but they’re not the ones who created it or know how to maintain it. They are purely the consumers of it. So in this increasingly cloud-native, digital-native world, the security person needs to be less focused on the technology and more focused on the business.
Give us an example.
Sage: I give a talk called Show Me the Money. One of the things I talk about is how to talk to the business. One of the diagrams that I put up illustrates that people process technology in a Venn diagram. At the center is data that you’re trying to protect or, if you’re in a hospital situation, lives that you’re trying to protect. Everything is related. While IT tends to hyper-focus on the technology, we can lose focus on what’s really important. If we can’t communicate back to our users, or to our C-suite or board of directors, why that technology is actually going to help the business, it’s just going to be harder to get that investment.
And to be important to business, it has to have an ROI.
Sage: Yes. I offer some free tools in my GitHub account, one of which is for risk and recovery estimates. So if you’re a SaaS platform providing a subscription service, you have to know just how much your revenue would be impacted by a data breach. If something goes down for an hour, or for a business day, you need to know the impact. You should be putting that in your business continuity plan as well. When you have those numbers, you can go to your finance folks and say, ‘Hey, help me understand what the business impact is. When will revenue stop generating? How long until we go out of business?’ You learn what the risk to the business is so you can understand what you need to be protecting better.
You want to be a partner with the C-suite.
Sage: Right. Let’s use an example. I hate dealing with money. So an accountant does everything I never want to do. I’m so glad that person exists. That’s kind of how you need people in your company to be — excited that they don’t have to do what you’re doing. But you also have to understand their perspective. A lot of that is actually using the phrase, ‘Help me understand.’ To the CFO: ‘Help me understand what’s important to you.’ To the marketing person: ‘Help me understand what’s important to you.’
The marketing person would be concerned with social media.
Sage: And social media isn’t the security person’s problem because there’s not much you can do other than turn on MFA. But you can coach people a little bit. I’ll give you a really good reason why you need to care. I had one client where the marketing team was fantastic. They sat with me and went through all of their social media accounts. I watched them turn on MFA. I took screenshots. I was really confident that they weren’t going to turn it off because they genuinely seemed to understand what I was saying as to why it was important.
But their Facebook ads account still got taken over, probably through a browser exploit, although Facebook will never tell us. Facebook froze that account and kicked the bad actor out in under 12 hours. But they didn’t unfreeze the account and hand it back to the client for seven days. That client lost $200,000 a day in revenue.
You work with small to medium-sized businesses on cyber strategy.
Sage: Most of the clients that come to me have 50 to 100 employees, maybe 150 at most. These companies understand that they need security, but they don’t understand what that entails. The majority, about 85%, of those companies are responding to their customer base saying they need them to have a security strategy. The remaining 15% have an investor or board of directors saying they need a security strategy. They’re very aware of where they’re lacking.
Carlota Sage spent 15+ years in tech, first with large scale content management system implementations, then in knowledge services for IT and Support Operations (help center and community development) before moving into cybersecurity. She offers some free Excel worksheets in her Github account that can help you kick start your cybersecurity program, including a cybersecurity roadmap strategy and example risk and recovery estimates.