Only 9% of security teams feel as if they are highly effective in communicating security risks to the board and to other C-suite executives, according to a recent survey conducted by the Ponemon Institute.
As a CISO, it can seem as though it is impossible to effectively explain and report the importance and workings of the organization’s cyber-risk program to an audience that views cybersecurity as yet another difficult to understand, technical topic. As a result, many board and C-Suite decisions related to security are made with gut feelings and with insufficient data.
When CISOs place themselves in the board’s shoes and clearly communicate and quantify overall cyber-risk, their message is better received, and they are more likely to get the support needed to transform the company’s cybersecurity posture.
Approaching cybersecurity through the board of directors’ perspective
CISOs must reconsider their communication approach and perspective prior to a board and/or C-Suite discussion. It’s crucial that they report cyber-risk in a language that the board and the rest of the C-Suite can comprehend. It can be quite frustrating to explain advanced malware or technical controls to an audience who is not savvy about the technical details of cybersecurity.
From a board member’s perspective, cyber-risk posture is viewed as a set of risk items with corresponding business impact and associated expense. The board wants to know where the enterprise is on the cyber risk spectrum, where it should be, and, if there’s a gap, how it’s going to close it. CISOs should focus on shifting the conversation from cybersecurity to cyber risk and provide concise, quantitative responses to the board’s questions without the use of overly technical terms or concepts.
Quantifying cybersecurity for the board of directors
A CISO must properly and accurately quantify cybersecurity risk and business impact when reporting. Given the massive size and complexity of the enterprise attack surface and the practically unlimited permutations and combinations by which an adversary can carry out a cyberattack, this is no small task. Done appropriately, and much needed executive level support and funding for information security is more likely to be had.
When quantifying cyber risk, there are four key areas to keep in mind.
1. Identifying the key areas of the business at risk of cyberattack and the current controls in place. As an example, if an organization prioritizes the risk of loss of intellectual property, the CISO will define this as a key risk item and help their colleagues understand how the cybersecurity program is aligned to managing this risk.
2. Comparing and quantifying their cybersecurity posture against peer organizations. It’s important to consider that board members and executives are most interested in knowing the level of acceptable risk that is appropriate, and comparison is a common method used to grade performance.
3. Quantifying internal benchmarking data will ensure that the CISO is showcasing what parts of the organization’s current cybersecurity program are working and what are not. With this data, the board can easily view how risk is distributed in the organization and the teams or areas that are driving the greatest risk. CISOs must present at a high-level the types of actions necessary to remediate key risks to bridge the gap between perceived risk in the boardroom and the actual on-network conditions.
4. Presenting a plan to achieve the recommended level of cyber-risk and providing quantifiable insights on improvement. A CISO’s plan needs to be converted into an easily digestible, high-level list of small steps or initiatives, each with corresponding time frames, required resources and a dollar cost. Furthermore, given that the board will expect the CISO to drive and execute a plan, he or she must quantify all the responsible constituents involved. During the next quarterly cybersecurity review with the board, quantifiable improvements that show the risk reduction outcomes a CISO’s team has achieved over time should be highlighted.
If CISOs are unable to communicate and unable to quantify their cybersecurity program, priority projects don’t get funded which leads to increased breach risk. Fortunately, today, there are many tools on the market that significantly improve CISOs’ ability to effectively and systematically report to the board.
Platforms are available that can analyze the entire attack surface in order to obtain a more accurate view of breach risk, compute a risk score for the enterprise, then compare that score against peer organizations. Not only will this allow for more transparency in the company’s security posture, but it will increase the business’ security teams efficiency and reduce risk by seeing which actions need to be taken in order to improve security posture.