F5’s executive leadership got an urgent message: a malicious actor within the company was sending confidential information to a third party that could put customers at serious risk. We immediately formed a combined response team of technical cybersecurity experts, executives, and business process stakeholders. Working together, we began to gather information about the nature and scope of the threat so we could assess the situation and determine what our next actions should be. The decisions we made over the next few hours could be critical to the future of the company.

By now any F5 PR people reading this are probably having a panic attack, so I’ll pause here to say that this was not an actual cybersecurity incident: It was a tabletop exercise that my team and I developed to simulate an actual security incident in real time.

Why a Tabletop?

We had several goals for this exercise. One was to run my technical team through the drill to validate and develop the roles, responsibilities, processes, and levels of decision-making authority we’d established for incident response. Another goal was to teach the less technical, more business-focused F5 stakeholders how to think—and communicate—the way cybersecurity professionals do.

Revenue, reputation, and customer trust all depend on how well the business and technical sides of a company work together. As Chief Information Security Office (CISO) for F5, my challenge is often having to communicate how technical risk translates to business impact. Much more than any memo or presentation, one of the most effective ways to help a business leader see the connection between technical risk and business risk is to let them experience firsthand what can happen if things go wrong.

Business Risk vs. Technical Risk

What’s the difference between business risk and technical risk? Put simply, a business risk is an uncertainty that can limit or threaten the viability of a commercial business. Such risks can be external or internal—anything from supply chain issues to changing customer preferences, or an executive’s behavior on their personal social media account.

A technical risk is an uncertainty that can cause limitations or failures in the functionality and performance of technology. These risks include complexity, integration with other products, and service outages.

The Known Exploited Vulnerability (KEV) catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA) is a good example of how technical and business risk intersect. If a product is on that list, customers who purchased it need to upgrade or patch it to reduce the likelihood of compromise by known threat actors. From a business risk standpoint, a vendor’s appearance on the list represents customers’ investment in time, energy, and money—which has an impact on that customer’s business, as well as on the vendor’s reputation, share price, and revenue.