There's mystique and fear around cybersecurity.

We need clearer messages about cybersecurity

When cybersecurity pops in your mind during the workday, you might be thinking about the IT department and the company’s management team. You’re probably sure that they have made wise choices for your safety. But you might also look in the mirror and find an experienced and wise leader there – a leader who wouldn’t like to admit that his or her knowledge on cybersecurity is insufficient. Clearer cybersecurity communication could help in strategic as well as everyday choices.

No worries – it’s actually quite common that even the company’s top management feels lost on cyber security issues, says Elina Niemimaa, Rona’s advisor and Business Director of Insta Secrays Oy. She has worked for years as a management consultant on information security and cybersecurity issues.

Jargon and mysticism – cybersecurity is considered difficult to understand

“There is a lot of mystique and also fear around cybersecurity. Media publishes stories about cyber risks and we know they can also threaten our own business. At the same time, everything is surrounded by uncertainty – what does “cyber risk” really mean in our case?” describes Niemimaa pointing out a typical starting point with the management team.

Many things may be clear and simple to security professionals, but appear to others as a difficult flood of terms. How is data protection different from privacy protection? What about cybersecurity and information security? How do we ensure that every employee has sufficient capacity to do the right thing?

Data security and clearer cybersecurity communication are matters of the entire organization

So are IT professionals a closed, stubborn tribe that has developed their own secret language? It would be stereotypical to think that way. However, it is essential to clarify the messages and communicate them even better between the various experts. As society and business become more and more networked, decision-making on the big lines of cybersecurity cannot be left to the security team alone.

Employees also want to do the right thing: no one basically wants to be a security risk. But if “cybersecurity” is thought to be a separate unit on the responsibility of others, it may not become a natural part of everyone’s workday.

Technology or people perspective?

Security can typically be approached from two directions:

Elina Niemimaa summarizes the typical reflections: “Management has long been told that investing in technology is important. On the other hand, media repeatedly talks about people as a “weak link”. What to invest in?”

A definition of strategy and direction is needed to find a balance between the two. Once the direction is selected, you also need to choose the right tools along the way.

Manager – are you sure you understand what is behind the investments?

Senior managers often are strong experts in their fields. They are accustomed to being knowledgeable, and they know that their employees trust them. It’s not that easy to admit out loud that actually cybersecurity might feel distant and hard to understand. It’s easier to buy IT solutions and leave them to the Security Operations team.

However, properly made strategic investments are a vital issue for any organization. Ultimately, the company’s investments, budgets, and also strategy are decided by top management, aren’t they?

Elina Niemimaa summarizes the essential question: “Do you invest in technological solutions or staff skills? What is the direction of your company?”

“Do you invest in technological solutions or staff skills? What is the direction of your company?”

Elina Niemimaa, Rona Finland Oy Board member, advisor for content and compliance.

The story doesn’t end there – security is practical deeds

Data and services are only secure when every employee understands their role in securing them. As human beings, we need timely information and advice to support decisions, whether big or small.

The abstract concept of cybersecurity needs to be disassembled to tools and deeds similar to traffic signs. We all know about general risks, but we still need some signs to show us, where we should be extra cautious.

“If cybersecurity is not understood, then we professionals have not explained things well enough,” emphasizes Elina Niemimaa.