Like almost every IT security leader, Matt Riley, data protection and information security officer for Sharp in Europe, often finds himself in difficult conversations with business colleagues about what they can and cannot do from a cybersecurity perspective.

“My approach,” he says, “Is that the answer’s never ‘no’. You don’t win hearts and minds with what is a really important subject by saying ‘no’ all the time.” Referring to UK government research, Riley says businesses see cybersecurity and IT security as a high priority. “We know that the level of concern over  cybersecurity is growing. But compared to 10 years ago, there is now much more awareness of why it is important.”

However, Riley says that among the challenge facing cybersecurity professionals is the fact that level of knowledge around cybersecurity is relatively low. Business decision makers are not experts in cybersecurity. “Just saying ‘no’, means we’re putting up barriers,” he adds.

Riley uses storytelling when handling difficult conversations with business colleagues regarding cyber risks associated with initiatives or projects they want to push forward. He says: “It’s about making the risk relatable to the person you’re talking to.”

Given that IT security uses a lot of technical terminology, convincing people means providing a way for them to assess the risks in a context they can understand. “I have a lovely example with Sharp’s  leadership team,” he says, where business decision-makers were able to make an informed decision on whether to take on a new wireless network equipment supplier. “It was a really, really good proposition,” he says. “Everyone was very galvanised that this was a great idea. So I took the steps to review the company. We needed to understand how they would  protect our data.”

Following the due diligence, Riley says he sat with the leadership team and asked who would like to be involved at board level to sponsor the IT supplier in question. “I then said that there were a few caveats. They [the wireless equipment supplier] won’t give us service level agreements; they won’t give us uptime; they won’t give us any sort of reassurance that their product meets our minimum security requirements.”

Riley says that following this conversation, nobody was willing to be the executive sponsor. “I didn’t say ‘no’, but I led them to an informed decision where they came to that conclusion anyway,” he adds. 

Among the growing areas of concern for IT security chiefs is the supply chain as a potential point of failure and cybersecurity weakness. Riley expects supply chains threats to increase exponentially over the coming years. Tackling such attacks requires a cultural change, which is always difficult.  He says: “We as a company, and every company, should have a real level of due diligence over the supply chain. But we need to  take a risk-based approach because we don’t live in a world of black and white: we live in a grey sort of spectrum of what’s secure and what’s not secure.” Against this backdrop he says IT security leaders need to ensure they have put in place appropriate controls to help protect the business.