At a recent Banking CEOs and director’s forum in Sydney, a CEO shared what keeps him awake at night. Not surprisingly, the two single biggest issues in his eyes were “the availability of IT systems and Hackers.”
The availability of IT systems did not come as a surprise and the fact that he was concerned about a security compromise, was not a surprise either. What did surprised me however was the choice of word he used to describe his security concerns – Hackers. The CEO did not use the words data breach, security compromise, or financial or reputational risk – yet that’s all we use as Cyber Security Experts or as an industry.
He used the word hacker, to him it was personal and emotive. A faceless person, a dark character, of flesh and blood with a mind that is unpredictable, a character that exudes uncertainty and is skilled and capable to cause a single catastrophic event. A threat actor that needs to be eradicated.
One word embodied so much for this CEO.
In this mindset, the goal becomes stop the hacker, simple right? In theory, yes, in practice, if only it were that easy. We know that with all the security technology available to us, this remains near impossible on cost alone. The discussion then moved on from stopping the hackers to mitigating the risk in the form of cyber insurance – let’s not worry about doing all we can to prevent a breach, rather let’s make sure that should something occur, we have insurance to cover costs associated with data recovery. Sadly, there is no insurance to cover reputational risk to your brand when something happens which is almost impossible to quantify in both direct and indirect costs for years to come. How altogether disappointing of a conclusion to the discussion.
What I did take from this experience is that maybe we need to think about the language we use – should we consider moving away from hard, cold, almost “clinical” words to a more emotive, descriptive and approachable subset of language to describe cybersecurity risk? I don’t know the answer, but it has certainly got me thinking about the language I use with our clients. We will make more of an effort to think about appropriate use of security terms and pepper them with what our customers use when they think about cyber security – perhaps it is time to make cybersecurity more relatable and approachable. What do you think?