RSM Australia

Articulating security issues in business language

The essential art of articulating security issues in business language.

Business leaders who aren’t thinking about cybersecurity as a key business risk could be setting their organisations up to suffer the potentially devastating consequences of a cyber attack. cybersecurity

With both human error and malicious actors posing a significant threat to the security of business-critical information, it’s essential for organisations to set and enforce a cyber-secure culture. This can help to minimise the chances of an attack being successful, as well as mitigate the effects of a successful attack. 

According to a 2018 Frost and Sullivan study commissioned by Microsoft, the cost of a cyber attack to a large-sized organisation (over 500 employees) in Australia could add up to an economic loss of $45.9 million if a breach occurs. The effects of a successful cyber attack can include business disruption, information and revenue losses, productivity losses, and equipment damage.1

The uncounted cost of a cyber attack is the damage done to a company’s reputation. With personal information a key target for cybercriminals, customers tend to lose faith in companies that can’t keep their personal and financial details secure.

Security can be compromised when senior business leaders don’t fully comprehend the scope and severity of the risk faced by the business. Often, executives and board members are misinformed about security-related issues, believing them to be the purview of the IT department. Even organisations savvy enough to have a chief information security officer typically leave security-related issues to those people and take an interest only if the company suffers a breach.

If CEOs and CFOs truly understood the magnitude of the security risk they face, along with the potential for everyone in the business to contribute to a more secure organisation, they would likely become enthusiastic advocates for more resources to be allocated to security.

Effective communication is the only way to achieve this goal. CISOs can’t convince business leaders by using technical terms and jargon. It’s non-negotiable that technology leaders articulate security issues to business leaders using the language of business. CEOs and CFOs understand business risk; they don’t necessarily understand (or care about) traffic metrics and event-log information.

Financial functions are often the first target to be attacked because they can be so lucrative for cybercriminals.

Therefore, CFOs need to be completely cognisant of the security elements of all financial systems and platforms. This includes identity and access management, controlling access to applications, patching vulnerabilities and reminding staff of the risks of social engineering attacks.

Leaving these security-related issues solely in the hands of the IT department increases the risk of a successful attack. Instead, executives and board members should become proactive participants in the battle against cybercrime, working in partnership with the IT and security teams to keep the organisation safe.

For more information

If you have any questions regarding cybersecurity for your business, contact an RSM specialist today.


This article first appeared in Cyber Australia magazine. 


Darren Booth
National Head of Security and Privacy Risk Services

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.