“If you don’t understand the risks, you don’t understand the costs,” security guru Bruce Schneier advised during a TED talk.
He was discussing security in the abstract — but it got me thinking about IT security in particular and the difficulty many executives face trying to determine if their organizations are safe from cyberattack.
The problem is that these conversations nearly always turn technical. Soon, a flurry of technology acronyms — confounding but apparently reassuring — begin flying around the room.
And, reports Schneier, it works. People, he says, will “respond to the feeling of security and not the reality.”
So what can a CEO do to understand the reality of security risk and grasp what the actual cost of security failure might do to the organization?
Control the conversation — and don’t allow the technical to dominate what should be a business conversation about your firm’s specific security risks and costs.
For example, you need to know which of your employees can use their iPads at the local Starbucks to log into your corporate database, what kind of information they can access, and how exposed to attack this makes your organization. You don’t need to know if it’s firewall or firefly technology protecting the corporate jewels as long as it does the job.
If your security conversations amount to nothing more than a list of product features designed to thwart some list-of-risks, then be concerned. And seek advice from a trusted security services partner.