Creating a cyber risk aware culture requires awareness at your company in which every employee takes responsibility for cybersecurity. Get the tips to make this easier.
CISOs and other security leaders need buy-in from the Board and executive team in order to run effective cybersecurity programs. This requires communicating data about threats and cybersecurity performance in ways that are easy to understand.As a result, cybersecurity visualization is becoming more important than ever. In a field that's as interesting and exciting — and comes with such high stakes — as cybersecurity, you can’t allow knowledge gaps and technical complexity to obscure your message.
With high-profile data breaches on everyone’s minds, the Board is becoming more and more involved in cybersecurity decisions. In fact, 45% of board members say they actively participate in setting the security budget at their company. For CISOs, getting the sign-off on necessary IT projects, purchases, and partnerships often involves making impactful arguments to Board members who might not have IT backgrounds.
So, what cybersecurity visualization techniques can you use to gain executive buy-in?
Start With Better Data
You want to be armed with the best available data in order to create good visualizations. That doesn’t necessarily mean gathering more data — it means choosing the data that best illustrates your needs in clear, easy-to-understand terms.
[Learn how to improve accountability and responsibility about organization cybersecurity.]
Good data is historical — it measures the same points over time. It also helps set benchmarks that can be used to track progress or compare an organization’s security posture against competitors and industry averages. This kind of data is even better when it comes from an unbiased source.
Most importantly, good data tells a story. It can be used in ways that add context to major questions like “what threats should we care about?” and “how vulnerable are we to these threats?” Good data allows you to paint a picture of security that aligns with the overall business.
Security ratings are one example of good cybersecurity data, because they’re easy to understand, historical, and calculated using externally observable information. Bitsight Security Ratings, for example, quantify performance in critical cybersecurity areas using a simple number. These ratings make it easy to prepare charts and graphs that help Board members visualize cybersecurity performance.
Make the Right Arguments
Charts, graphs, infographics, and other cybersecurity visualizations are presentation aids — they’re there to help support your argument. Therefore, it’s necessary to choose visualizations that appeal to the needs of Board members. You need to provide the coverage they’re looking for in a context they can understand — the context of business.
As a security leader, you have a personal stake in creating a cybersecurity program that performs well. After all, your job might be on the line in the event of a major incident. Unfortunately, Board members don’t always have the same level of understanding when it comes to cybersecurity, which is why it’s important to reshape your arguments in terms that Board members can relate to.
For example, you can use visualizations that compare your organization’s security performance to the performance of competitors or the industry as a whole. When they see your numbers alongside other major players, Board members will have more context for the competitive consequences of their decisions.
You can also use visualizations that highlight the business consequences of underfunded cybersecurity programs. For example, you can use security ratings to show the relationship between outdated security systems and the likelihood of data breach. However, if you add the relationship between data breaches and regulatory fines or stock price dips to the chart, you might get more of a Board member’s attention.
The Secret to Creating a Cyber Risk-Aware Organization
The Secret to Creating a Cyber Risk-Aware Organization
Tell a Story
Effective visual design, presented with the right flow, will make complex or abstract ideas easy to engage with and digest. Giving senior leaders unprocessed spreadsheets or bland bar graphs about a subject that’s outside their area of expertise will generate a lukewarm response at best.
To improve the design and impact of your visualizations, you don’t need fancy fonts and colors. Your time will be better spent reading up on proven user experience (UX) principles.
Despite what you may think, UX is not exclusively in the purview of web developers and graphic designers. When you’re making a presentation to your fellow executives, the principles of UX apply. Do you offer up information in a way that’s easy to understand? Can you make the experience rewarding and enjoyable?
Many of the principles of UX are broadly applicable. Here are some that are especially pertinent to presentation design, via Laws of UX:
Miller’s Law states that the average person can only keep seven items — plus or minus two — in their working memory simultaneously. Organize your presentation so that key elements are condensed and emphasized.
The Law of Common Region states that people will tend to associate objects that are close together in a visualization, whether or not you intended them to be considered as a group. Carefully spacing elements in your charts and graphs is an important part of the design process.
Most important of all may be Hick’s Law, which states that the time it takes to make a decision increases along with the number of choices and their complexity. Keep your ask simple and your audience will quickly come to a conclusion. For example, using security ratings can reduce your proposal to something as straightforward as “our rating is low, our competitor’s is higher. We should improve by X points in order to achieve a competitive security posture. In order to do this, we need X resources.”
Make Everything Self-Explanatory
Finally, it’s important to make sure your proposal and your ask can be understood without you being there to explain them. You might not be present when the Board is making their final decision. At that point, the ball is in their court. By keeping everything easy to visualize and understand, even for non-technical individuals, you can ensure miscommunication doesn’t derail your proposal. Couple that with a defined call-to-action and a clear timeframe, and you’ll be much more likely to receive a positive response.