Interpreting technical cybersecurity jargon to stakeholders.

Interpreting technical cybersecurity jargon to stakeholders.

Introduction

As the world continually embraces dynamic technological advancements, it also stands to face cybersecurity challenges associated with IT-based systems. The digital space encompasses a vast array of sectors including, but not limited to, banking, commerce, telecommunications, and government – all of which are vulnerable to cyber threats. Due to the increasing complexity of technology infrastructure, cyber-attacks have become more sophisticated – most of which in turn have led to financial losses, data breaches and service disruptions. Because cybersecurity matters are handled by technical personnel within an organization, many a times it becomes significantly difficult to convince non-technical executives to invest in the company’s security.

Here are some of the challenges faced in cybersecurity:

  1. Limited Resources – Because investing in cybersecurity may be costly, firms with stringent budgets may struggle to allocate sufficient resources towards their security needs.

  2. Lack of Awareness – Many organizations (especially SMEs) lack awareness about the importance of cybersecurity and the potential risk they stand to face. Most companies do not understand the value (cost-benefit analysis) of investing in cybersecurity.

  3. Rapidly Evolving Threat Landscape – Cyber threats are constantly evolving and becoming more intelligent – and as such, organizations must keep pace with new attack techniques.

  4. Complexity of IT Infrastructure – Modern organizations create a web of complex IT environments that consists of a mix of on-premises systems, cloud infrastructure, mobile devices, and third-party applications. Securing such diverse systems is challenging considering that each component may have its own distinct vulnerabilities.

  5. Third-Party Risks – Organizations collaborate with external partners, suppliers, and vendors – and if these third parties have weak security measures, then this could be a potential entry point into the organization’s system.

Because of the enormous negative impact that cyber-attacks can have on an organization, it is crucial to help stakeholders understand the names, risks, and impact of cyber threats to the organization they invest in. Stakeholders include Executive Leadership, Employees, Legal and Compliance Team, External Partners and Vendors, Customers and Clients. Here is why translating cybersecurity jargon is important in cybersecurity:

  1. Enhancing Decision-Making: Stakeholders (such as executives and board members) may not have a technical background in cybersecurity. By translating complex technical terms into relatable language, they can better comprehend the risks, implications, and potential solutions. This understanding in return enables informed decision-making regarding cybersecurity investments and strategies.

  2. Promoting collaboration: Effective cybersecurity requires collaboration among various stakeholders. Translating technical jargon helps bridge the gap between these groups, facilitating productive discussions and shared understanding.

  3. Mitigating misinterpretation: Technical jargon can be confusing and prone to misinterpretation, leading to misunderstandings and miscommunications. This leads to ineffective security measures and inadequate risk management.

  4. Gaining Support and Buy-IN: When presenting cybersecurity initiatives or requesting resources, stakeholders who are not well-versed in technical jargon may struggle to understand the importance and urgency of the proposed actions.

Defining high-level technical risk

Because cyber-attacks can be deployed in different forms and targeting various aspects of a system (the people, the process, or the technology), it is necessary to define these high-level technical risks.

  • Malware Attacks: viruses, worms, ransomware, Trojans

This is software designed to infiltrate computer systems or networks with the intent to cause damage or steal information.

  • Phishing and Social Engineering: exploiting human psychology

This involves psychological manipulation and deception to exploit human behavior and trick victims into willingly exposing sensitive information.

  • Insider threats: intentional or unintentional compromise by employees

These are risks posed to an organization’s security by individuals with legitimate insider access.

  • Advanced Persistent Threats (APTs): long-term sophisticated infiltration

These are sophisticated cyberattacks that are typically carried out by well-resourced adversaries. APT allow attackers to maintain long-term access to targeted system without being detected.

  • Vulnerabilities in Software and Systems

These are weaknesses or flaws related to components of a system such as operating system, applications, network protocols and hardware.

  • DDoS Attacks: overwhelming a system or network.

This is the disruption of the normal functioning of a network, system or service by overwhelming it with illegitimate floods of traffic.

  • Weak Authentication and Access Controls

These are weaknesses associated with mechanisms used to verify and authenticate the identity and privileges of users accessing a system.

  • Cloud Security

These are practices, technologies and policies designed to protect data, infrastructure, and applications in a cloud-based environment.

Examples of Technical Jargons in Cybersecurity

  1. Firewall: a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules

  2. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS): Are security systems that monitor network traffic for suspicious activities or known attack patterns.

  3. Encryption: the process of encoding data to make it unreadable to unauthorized individuals.

  4. Penetration Testing: Also known as ethical hacking, it is the method of assessing the security of a system or network by simulating real-world attacks to identify vulnerabilities and weaknesses.

  5. Vulnerability Assessment: The process of identifying and evaluating security vulnerabilities in systems, networks, or applications to determine potential risks and recommend remediation measures.

  6. Zero-day Vulnerability: A security vulnerability that is unknown to software vendors or has no available patch or fix.

  7. Malware: A broad term encompassing various forms of malicious software

  8. Social Engineering: The use of psychological manipulation techniques to deceive individuals and trick them into revealing sensitive information.

  9. Denial of Service (DOS): An attack that floods a system, network, or service with excessive traffic or requests, thereby rendering it unavailable to legitimate users,

  10. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA): Authentication Mechanism that requires users to provide multiple forms of evidence to verify their identity.

  11. Man-in-the-Middle (MITM) Attack: An attack where an attacker intercepts and relays communication between two parties, allowing them to eavesdrop, modify or inject malicious content without the knowledge of the communication participants.

  12. Advanced Persistent Threats: A targeted, long-term cyber-attack carried out by skilled and persistent adversaries, often with specific objectives like stealing sensitive information or conducting espionage.

The Need for Stakeholder Engagement

It is crucial to understand that to maintain a good security posture of an IT-based system – there is need for a mutual understanding between the technical cybersecurity team and the non-technical stakeholders which may primarily include the users of the system and executives that potentially make financial decisions that directly affect the cyber security division. Each individual stakeholder may also present unique insights that can potentially contribute to the development of effective cyber security strategies. Engaging stakeholders may also present a sense of ownership and accountability for cyber security within an organization. When everyone actively participates in decision-making, then it is highly likely that all stakeholders will take responsibility for implementing security measures and adhering to cyber security policies. Most importantly, having stakeholder engagement increases the likelihood of gaining support and obtaining necessary resources for cyber security initiatives and projects. When stakeholders are involved from the beginning, they are more likely to understand the importance of cybersecurity and allocate required budgets, personnel to support the organization’s security goals. Here are some tips to effectively communicate with stakeholders:

  • Using plain language – avoid the use of jargons and use everyday phrases.

  • Avoid Acronyms – try spelling out acronyms and provide their explanations.

  • Provide context – provide a real-world example to explain a concept – this better describes a problem or scenario.

  • Relate to familiar concepts – use relatable examples and analogies to simplify complex technical terms.

  • Use visual aids – diagrams, flowcharts, infographics enhance understanding – it helps decompose a complex concept into relationships, processes, and dependencies.

  • Storytelling – incorporate narratives and anecdotes to engage the audience and make information more memorable and relatable.

Executive Summaries

The last thing worth noting when trying to interpret technical cybersecurity jargon to non-technical stakeholders is creating an executive summary of findings. This is a concise and high-level overview of the key findings, risks and recommendations related to cybersecurity issues noted in an organization. It is made primarily for executives and decision makers that may not possess the technical expertise in cybersecurity but need to understand the implications and make informed decisions regarding cybersecurity strategies, investments, and resource allocations. The executive summary usually includes:

  1. Overview – an introduction and overview of the findings highlighting the most critical points.

  2. Identified Risks – a summary of the key risks and vulnerabilities identified during an assessment or investigation – focusing on risks that have the highest impact on the organization's operations, reputation, and financial well-being.

  3. Potential Impacts – a description of the potential consequences of the identified risks – these may include financial losses, reputational damage, or operational disruptions.

  4. Recommended Solutions – recommended solutions or actions to mitigate the identified risks.

  5. Required Resources – a summary of the resources required for implementing the recommended solutions – this includes budgetary needs, personnel allocation, and technology related investments.