Solution Provider CISO: Security Dialogue With C-Suite Must Focus On Risk, Loss

MSSPs looking to tighten their bond with C-level executives must improve their ability to talk about business risks and the consequences of loss, said one solution provider security executive.

In order to have strategic conversations with customers about security, solution providers need to adopt the language chief risk officers use and that CEOs hear on a daily basis, said Atrion CISO Richard Moore. Solution providers should be addressing issues such as fraud, business performance, service interruptions and regulatory compliance when talking with customer executives, Moore said.

"We haven't talked about how those technology risks interact with business risks," Moore said Sunday at XChange University: IT Security, hosted by CRN parent The Channel Company. "We've got to change that."

[Related: Atrion Communications Doubles Down On Cyber With Hire Of Insurance Security Exec As First-Ever CISO]

Solution providers have long struggled with moving cybersecurity into the business world without using technical jargon, scare tactics, or relying on concepts that confuse business leaders, Moore said. By orienting the conversation around risk, Moore said solution providers will be better suited to speak to customers about what is or isn't safe.

Solution providers are too often talking with technology teams only and not aligning their findings with the business side of the house, Moore said. Although some channel partners do employ business analysts, Moore said the decision-making is being driven mostly by the technology teams based on what they heard from someone in the business.

Technology can help in areas such as automation and reducing headcount, Moore said, but ultimately the conversation needs about reducing the consequences of loss rather than the latest threats like ransomware, malware, or cryptomining. By adopting business language, Moore said solution providers can better address what the technology is being used for.

"I have to learn how to understand the technology so that I can transfer that language into business," Moore said.

The message resonnateed with Indy Batra, CEO of Ventura, Calif.-based solution provider MJP Technologies, who said security conversations tend to be most effective when they're focused on assessing loss and the potential for revenue loss from downtime. After assessing potential losses and threats to business continuity, it becomes easier to talk to clients about what you can offer, he said.

MJP Technologies is preparing itself to enter the security market, and Batra said that begins with conducting assessments, making customers aware of risks, and having a solution ready to present to clients. Batra plans to come up with a basic security bundle for every client, and work with his team so that they have the confidence needed to protect clients.

"The risk and loss is for real," Batra said. "Coming up with the right tools and the right strategy is very important."

Businesses should start by building a pyramid of assets, vulnerabilities and threats, Moore said and then consider how those technologies can integrate and support each other inside of the program. By looking at the connective tissue, Moore said solution providers can better address how the tools work inside a customer's environment and make the client more successful by reducing the consequences of loss.

Moore said that quantifying assets starts with looking at its deprival value, or how acceptable a business leader would find it to lose or not have access to the asset for a certain period of time. This judgement is inherently subjective, Moore said, and shouldn't have math applied to it.

Customers want to know their risk evidence, risk evaluation, and risk response, and Moore said solution providers need to figure out how to report on these from a security perspective. Moore recommended that partners align their teams, programs and processes around governance, risk management, security assurance, security operations, and intelligence.

Intelligence is particularly important when it comes to communicating with business leaders more effectively since it shouldn't be technology driving those conversations, Moore said. From there, Moore recommended that security solution providers focus on building tools based on the principles of identification, protection, and detection.

"The job is to minimize loss," Moore said. "It's a completely different topic than buying technology."