Effectively Communicating Risk with Visibility: Eli Edelkind’s Cybersecurity Playbook for Executives

This cybersecurity playbook is inspired by Eli Edelkind’s insights on the crucial role of building relationships in cybersecurity to affect change in information security and the business. 

He recently shared his recommendations on CyberOXtales podcast, highlighting how visibility in your cybersecurity environment can enhance communication with stakeholders and prioritize risk management effectively.

The Playbook

Objective:

💡 The primary objective of this playbook is to improve cybersecurity communication strategies by leveraging visibility into assets, software, and infrastructure. By providing a clear understanding of the cybersecurity landscape, organizations can communicate risks more effectively and make informed decisions.

Key goals include:

1. Establish Visibility: Ensure a comprehensive view of all assets, software, and infrastructure.
2. Prioritize Risk: Identify and categorize risks based on visibility data.
3. Improve Communication: Share risk information transparently with stakeholders.
4. Comply with Regulations: Stay updated on and compliant with evolving cybersecurity and privacy regulations.
5. Foster Collaboration: Enhance collaboration between cybersecurity and other business units.

Step 1: Establish Comprehensive Visibility

• Utilize advanced cybersecurity tools to gain visibility into all assets, including endpoints, IoT devices, and OT systems.
• Perform periodic scans to identify all devices and software within the network.
• Create and update a detailed inventory of all assets and their security postures.

Step 2: Identify and Categorize Risks

• Review data collected from visibility tools to identify vulnerabilities and potential risks.
• Group risks based on their impact on people, applications, and infrastructure.
  • People: Assess risks relating to various user groups such as administrators, contractors, and employees.
  • Applications: Evaluate risks based on the business criticality and data sensitivity of applications.
  • Infrastructure: Prioritize risks associated with different infrastructure components, such as card data environments and point-of-sale systems.

Step 3: Develop a Communication Strategy

• Adjust your communication approach for different stakeholder groups, including executives, other IT teams, and business leaders.
• Clearly communicate any gaps in visibility and how they impact overall security.
• Present risks in business terms that stakeholders can understand. Focus on how risks affect business operations and compliance.

Step 4: Ensure Regulatory Compliance

• Stay updated on changing cybersecurity and privacy regulations, especially those varying by state or industry.
• Collaborate with legal teams to ensure regulatory requirements are met.
• Adapt cybersecurity practices as needed to comply with new and existing regulations.

Step 5: Foster Internal Collaboration

• Depending on the organization structure, decide who the CISO should report to (e.g., CIO, CFO, risk committee).
• Involve cybersecurity in IT and business roadmaps to integrate security from the start.
• Work closely with different business units, including people and culture teams, to understand and mitigate cybersecurity risks collectively.

Step 6: Continuous Improvement

• Regularly review and update visibility tools and risk assessments.
• Establish a feedback loop with stakeholders to continuously improve communication and risk management strategies.
• Conduct ongoing training sessions to ensure that all team members understand the importance of visibility and effective cybersecurity communication.