The Importance of Common Language in Cybersecurity

One of the key challenges in cybersecurity is bridging the communication gap between technical and non-technical stakeholders. Technical experts often focus on threats, vulnerabilities, and technical solutions, which can overwhelm non-technical leaders. On the other hand, business leaders prioritize financial risks, compliance, and overall business impact. Having a common language in cybersecurity is crucial to ensure alignment.

This article explores how the Cybersecurity Compass serves as a framework to align these diverse perspectives. The compass guides cybersecurity discussions by focusing on three critical phases: before, during, and after a breach. This ensures comprehensive coverage of cybersecurity management, addressing people, processes, technology, and leadership.

Cybersecurity is not just the responsibility of the IT department—it’s an organization-wide concern. It should be treated as a business risk, meaning leaders across all departments must be involved in the conversation. Strong leadership is essential to foster a security culture and embed cybersecurity strategies into business operations.

Before delving into how to use the Cybersecurity Compass, it’s important to discuss a fundamental leadership skill: listening.

The Power of Listening

Effective communication is key when bridging the gap between technical and non-technical teams. Listening ensures both sides understand each other and collaborate effectively on cybersecurity strategies. Otto Scharmer's Theory U outlines levels of listening that can enhance the quality of conversations and outcomes.

Listening is an underrated but essential leadership skill. It’s not just about hearing words—it’s about understanding the message behind them. Active listening fosters a more inclusive environment that supports innovation and resilience. Both technical experts and business leaders must feel heard in cybersecurity discussions. This leads to better collaboration and trust, which strengthens cybersecurity strategies.

WCommon Biases and Assumptions

In my experience, biases, assumptions, and mental models often hinder effective communication. Here are some common biases:

Technical Audiences:

• Complexity Bias: More complex solutions are assumed to be better.

• Jargon Assumption: Using technical terms that others may not understand.

• Isolation Assumption: Believing cybersecurity is solely an IT issue.

The global adoption of DeFi is growing rapidly, creating new opportunities for developers and investors alike.

Non-Technical Audiences:

• Oversimplification Bias: Underestimating the complexity of cybersecurity.

• Cost Aversion: Viewing cybersecurity as a cost center.

• Delegation Assumption: Believing IT can handle cybersecurity without other departments’ involvement.

Introducing the Cybersecurity Compass

The Cybersecurity Compass helps align technical and business perspectives by focusing on the three phases of a breach: before, during, and after. For each phase, the compass addresses people, process, and technology to ensure a unified approach to cybersecurity.

Before a Breach: Proactive Cyber Risk Management

Proactive measures are essential before an incident occurs. It's not a question of "if" but "when" a breach will happen. Key questions to consider:

• People: Who are the key people in the cybersecurity plan? How are employees trained to recognize threats?

• Process: How often are we assessing cyber risks? Are our systems and assets updated and monitored?

• Technology: What tools are we using to monitor risks and threats?

During a Breach: Detection and Response

Quick detection and response are critical during an attack. Key questions to address:

• People: Who is part of the incident response team? How are we communicating with stakeholders?

• Process: What is the incident response plan? Are we isolating affected systems efficiently?

• Technology: What tools are being used to detect and respond to breaches?

After a Breach: Recovery and Improvement

After a breach, focus shifts to recovery and learning for future resilience. Key questions include:

• People: Who leads the recovery efforts? What support do affected employees need?

• Process: How are we analyzing the incident and improving processes?

• Technology: Are our backup and recovery tools effective?

Conclusion

The Cybersecurity Compass bridges the gap between technical and non-technical stakeholders, ensuring a unified approach to cybersecurity. By focusing on before, during, and after a breach, it helps organizations tackle cybersecurity comprehensively. Preparing for a breach, responding effectively, and learning from incidents enhances resilience and fosters a culture of security. Remember, cybersecurity is everyone’s responsibility, and strong leadership is key to integrating security into every aspect of the organization.