Cybersecurity has become a business topic taking more prominence in the boardroom. A global survey conducted last year named cyber-attacks and data loss as the top two risks concerning directors & officers due to the pandemic-related changes such as work from home, hybrid working environments, and cloud technology transitions. The survey covered the USA, UK, Europe, and APAC across various industries.
With many data breaches and ransomware attacks making the news, and the associated catastrophic consequences such as operations shutting down, financial/revenue losses, damage to reputation, etc., many boards of directors and C-suite officers have woken up to the fact that cybersecurity is no longer an IT issue but a business issue.
Additionally, according to a white paper published by RSA’s Security for Business Innovation Council, cybersecurity has evolved to where the “risks and associated costs now fall squarely within the fiduciary responsibilities of a company’s board of directors.”
There have even been lawsuits where personal liability has been enacted on directors and officers, alleging responsibility if a cyber incident takes place. Therefore, this group could become a significant force in minimizing cyber risks in the enterprise.
Despite all this, we have found that many CISOs struggle to explain the resources, commitment, and budget required to safeguard their company systems, data, and assets for various reasons. One example of this relates to the need to translate cybersecurity risks into business risks, which is what board members will relate to. The immediacy of these risks and their horrific impact on organizations is not always apparent in all industries and should be communicated clearly and concisely to the board and C-suite.
In this blog you will learn:
What Do C-Level and Board Members Need to Know?
Often, boards and officers have varying levels of knowledge when it comes to cyber security. Some are tech savvy and follow trends closely, while others have a vague grasp of the vast array of topics encompassed in enterprise cyber security.
Regardless of what each board member may know, they will typically want to hear the CISO report on the company’s current ability to identify its most critical assets, the defense plan in place to protect those assets, and to what degree the company is executing against that plan to manage risks and vulnerabilities.
The report should provide leadership with an understanding of the threats and vulnerabilities the security team is seeing and the proactive actions being taken to mitigate those threats. It is essential to clearly understand how those threats and vulnerabilities could impact business functions. The report should also discuss long-term strategies, objectives, investments, and related returns on investment (ROI, see below) to deal with these threats, as well as a clear progress update in achieving the objectives.
Here are some basic questions that CISOs need to answer for the board and C-suite:
- What are the risks we are facing?
- What is the cybersecurity team doing about it?
- Does the team have what it needs to make the right decisions and act quickly?
- Are company assets, data, and systems secure?
- How would we know if we have been breached?
- How does our security program compare to other companies in the industry?
- Do we have enough resources for our security program?
- How effective is our program; is our investment correctly aligned?
Building a Winning Narrative
Regardless of board members’ level of knowledge, we typically recommend that CISOs bring everybody up to speed with a brief story providing background and context to the company’s cyber security status, posture, and defense plan. This includes outlining the current threat landscape, meaning the risks and attackers that might be motivated to harm the company. This story should also mention current countermeasures to slow attackers down and how company systems are being used to neutralize them.
If CISOs have specific examples of how attackers have come after their organization and what has been done to stop them, those are best. Still, if those are unavailable or occurred years ago, they should mention notable attacks such as Apache Log4j, SolarWinds, JBS, Capital One, Facebook, Equifax, OPM, Yahoo, JPMorgan Chase, and others. The goal is to use examples relevant to the industry rather than citing random occurrences that bear little resemblance to the organization. These actual attacks and breaches help create a context for what has affected similar organizations.
We don’t recommend reviewing specific new tools or technology because it will not provide value to non-security practitioners. However, if a cyber incident was stopped or mitigated thanks to a tool or device that the CEO or the board had approved in a previous meeting, that’s something to mention. This should be embedded into the story, but the tool or technology should not become the story itself. This allows the CISO to turn the CEO and the board into heroes while moving on to the desired outcomes of the current meeting.
By presenting the technical item as a business problem, it is easier to acquire the necessary funding, staffing, etc., to close the risk quickly.
Building Trust by Choosing the Right Metrics to Share
Rather than showing technical or operational metrics that can be difficult to explain when you have a 15-minute showcase, we recommend building trust by using a few qualitative and quantitative tactics and metrics. Here is a short list of options to choose from (our consultants typically recommend sharing 3-4 relevant metrics).
- Risk assessments performed and what was discovered
- Planned tabletop exercises and simulations that will feature the participation of board and C-suite executives
- Top security priorities currently being handled, plans for the current half and next half of the year
- Employee training programs and testing
- Red team – blue team simulations and the results reported
- Results of other initiatives to reduce risk and upgrade the company’s security posture
- Security integration with application development (where applicable)
- Risks the company has accepted per risk tolerance and risk appetite.
- New vulnerabilities discovered vs. remediated
- Patch management – dates, plans, frequencies
- Number of incidents and vulnerabilities
- Number of non-remediated risks and why they have not been remediated (show priorities are being addressed)
Discuss Nation-State Grade Attacks
In recent years, there has been a quantum leap in the development of tactics, techniques, and procedures of powerful cyber-attack weapons such as those developed by the NSA; purchasing such instruments on the darknet has become very easy and fast. In the past, only nation states had access to such weapons. However, today various cyber-criminal groups have access to these nation-state-grade attack tools, and they are using them thousands of times, every day, most often for financial gain, which has created a new level of risk for the enterprise.
The cooperation between these groups has increased, so knowledge and tool sharing makes it more likely that many companies will experience a nation-state-grade attack.
We have seen that these criminal groups are often protected by their countries, such as Russia, Iran, China, and North Korea. This means that the perfect conditions are available for these attack groups; therefore, additional expertise is often required to handle this threat level. CISOs should bring forward their thoughts on mitigating these risks beyond regulatory requirements and mature their organization’s security plan beyond its current level.
Explaining ROI and Cybersecurity Investments
Since cybersecurity poses new and ongoing challenges, no dollar amount could make the risks disappear, and it is important to explain this to the board. Therefore, when discussing cybersecurity investment, some general benchmarks should be used, but investment decisions will vary based on the maturity of the overall security program, the industry, and other factors.
The subject of ROI might be somewhat complicated for cybersecurity as the most significant variables such as brand reputation value, a compromise in data/personal information safety and potential legal costs are harder to quantify. Nevertheless, it is undoubtedly possible to estimate “what if” costs:
- Value loss prevented by incident mitigation
- Number of advanced persistent threats per month prevented
- Percentage of systems compliant with security standards
Additionally, we have found that most boards and C-suite executives want to know the options for investment, especially which investments make the most sense to the CISO, their opinion, etc. We recommend that CISOs use this opportunity to demonstrate their business acumen (which we find high) and add value and context to these decisions.
The CISO is the main storyteller and advocate for cybersecurity in their organization. They are responsible for setting their organization’s cybersecurity program’s vision, values, and plan. Their data and cyber security experts have something important to say. But if they are not packaging it appropriately for their audience, what their data and expertise have to say might get lost in translation. Getting the message and desired outcomes across require translating cyber security issues and risks into business issues and risks.
The suggestions above are based on our experience as consultants to CISOs in large enterprises. We aim to provide other CISOs with practical advice on reporting high-level analysis to their C-suite and directors to achieve desired outcomes.