Cybersecurity: is it time for a Goldilocks conversation?

Cybersecurity is getting lots of airtime at present, often for all the wrong reasons. Reports of leaks, hacks, and data breaches pervade news sites on an almost daily basis it seems. Sadly, many news articles are sensationalist: but that is what sells the news, I guess.

Many studies have been conducted to try to understand the problem—most of which seem to offer little when it comes to meaningful recommendations for directors seeking to mitigate business risk. Consequently, most studies and reports go in one ear and other the other.

However, a recent study by the Ponemon Institute does make interesting reading (link here). The purpose of the study was to determine if boards of directors are a help or hindrance to creating a strong cybersecurity posture. Significant differences between how boards and IT security folk perceive risk (especially cybersecurity risk) were exposed. The technical people tend to talk it up (validly or otherwise), whereas directors typically consider cybersecurity as one risk amongst many others. That directors and technical people have quite different perceptions about cybersecurity is hardly a surprise. However, it does highlight an operational problem. The perception gap has the potential to see either too much or too little invested in appropriate risk mitigation measures. Either way, the impact on the overall performance of the business is likely to be significant. How might this be addressed?

Perhaps the answer lies in a candid Goldilocks meeting, whereby directors, executives and IT security folk meet together (for as long as it takes), to discuss and reach agreement on two things:

• Understand cybersecurity from a risk perspective
  
• The nature of cybersecurity risk and how it might be addressed
  

A Goldilocks meeting should have the effect of ensuring that the board is suitably informed about cybersecurity matters, and the IT security people should gain an appreciation of the balance of the risks the board needs to consider. An appropriate action plan, agreed between the parties and based on a common understanding, could ensue.

To have the board, executives and technical people working together with an agreed purpose and outcome in mind, rather than talking past each other as is typical in many cases I have witnessed, might sound fanciful. However, it's bound to do wonders for morale and culture. Perhaps it might be the most beneficial outcome!