Cybersecurity Awareness Month Doesn’t Have to Be Scary

Originally published by Blue Lava here.

Written by Veronica Wolf, Director of Product & Content Marketing, Blue Lava.

In the spirit of Cybersecurity Awareness Month, we thought we would de-mystify a few of the tall tales and horrors surrounding cybersecurity. We’ve also gathered up a few resources, so you’ll never have to “walk in the dark” alone.

7 Cybersecurity Myths, Debunked

“Your cybersecurity program is only as good as its technology.”

One of the common themes we hear from our community of CISOs, and security leaders is how little they attribute success to the specific software tools or technology they’ve invested in. Understanding the business objectives, the culture and how to leverage resources effectively, are commonly cited as a few of the key approaches to a successful program.

Learn how to align your cybersecurity program to the business.

“Cybersecurity is the responsibility of the information security team.”

The proposed security guidelines by the U.S. Securities and Exchange Commission promise to place greater responsibility on C-suites and Boards of publicly traded companies by standardizing disclosures related to cybersecurity risk management. In fact, the vast majority of Boards of Directors view cybersecurity as a business risk. In this digital age, a security leader needs to build a narrative in business terms in order to evangelize a security culture throughout the organization. As with human resources, marketing, and accounting, leading businesses consider a cybersecurity program foundational to the organization, and instilling policies, procedures, and awareness training to educate employees on security protocols (phishing, remote working, travel, etc.).

Learn more about the SEC cybersecurity guidelines in our webinar series here.

“Having a successful cybersecurity program means securing funding requests.”

Surprisingly, our network of successful security professionals tell us that while getting funding to run their operation is important, it’s not the endgame. What their leadership is looking for is an accurate picture and understanding of what the impact of that investment will be so they can prioritize investments based on risk appetite for the business, among other factors.

Learn how to communicate to the board here.

“We should always focus our cybersecurity efforts to address our largest risks first”

While at face value this sounds intuitive, you also have to consider the risk appetite of your business and specific industry. What may be an inherently high-risk rating for a financial or healthcare organization, may not mean the same exposure for a retailer, for example.

Learn best practices for security program maturity assessment here.

“ My security program maturity level is the only input I need to prioritize initiatives.”

Without infinite resources at our disposal, the answer to what to invest in is not as simple as targeting the lowest scores or what we can immediately address. Business executives need data translated into a risk-based view and weigh those risks higher in level of importance to the business.

“You’re only given a few minutes to present to the board. They just want to see the data, so you need to stick to the facts.”

While it’s safe to say the leadership team is data-driven and expects to see a business-oriented presentation, there’s more to it than charts and graphs. Today’s CISOs and security leaders tell us you not only need a consistent and accessible way to measure progress, it also takes a strong narrative and common language for each audience they address.

Learn how CISOs can build a narrative here.

“As the cybersecurity leader, It’s not my job to be your friend …I have to be the cybersecurity police to protect the organization from internal and external threats.”

This one we had to save for last. One of the biggest “aha” moments for many security leaders we know tell us that THE most important thing is to build trust through relationships. In fact, we commonly hear sharing ideas and building friendships across their internal and external networks is the best investment they have made as a CISO.

From the impending SEC rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies, to the latest cybersecurity breach or crisis du jour, the last thing you need are distracting cybersecurity myths.

About the Author

Veronica Wolf brings over 20 years’ marketing leadership experience in the technology industry for B2B organizations. Prior to joining Blue Lava, Veronica has led marketing initiatives for large enterprises such as IBM and Sungard Availability Services, as well as agencies and startups in the information security space. She has a Bachelor of Science in Business Administration, holds a certificate in Copyediting, and a Master of Liberal Arts in Journalism from Harvard University.