How CISOs can communicate cyber risk to the board [Q&A]
The current economic downturn has meant significant budget cuts for many enterprises. But cyberthreats continue to escalate and businesses need to take them seriously.
This means that more than ever CISOs must prove the value of their cybersecurity programs to senior management. But how can they do this effectively? We spoke with Tim Erlin, VP of product innovation at SecurityScorecard to find out.
BN: How has the role of the chief information security officer (CISO) evolved?
TE: The evolution of the CISO mirrors that of the CIO in many ways. Early CISOs were primarily technologists who were tasked with expanded leadership responsibilities around security. Over time, CISOs have become increasingly business focused as cybersecurity has become increasingly impactful to the bottom line. While the CISO's responsibility remains cybersecurity, they're increasingly tasked with connecting it to the business and communicating in business terms. Most modern CISOs are now business executives who specialize in cybersecurity instead of technologists who are surprised to find themselves in the board room.
BN: Why is it important for the board to understand cyber risk?
TE: Cyber risk is impactful to the business, and as such, it's well within the purview of the board. As the cyber threat landscape rapidly evolves, cybersecurity can no longer be the sole responsibility of CISOs and security teams. Senior leadership and the board must have a clear understanding of potential cyber threats to the business in order to make informed decisions about the company’s investments and goals. Successful decision making around cybersecurity risk requires that CISOs understand and are able to communicate technical risk in language that other executives comprehend. While 88 percent of boards of directors already understand that cybersecurity is a business risk, the majority of CISOs say that properly communicating cyber risk in business terms to their board is a challenge.
BN: Why do CISOs struggle to effectively communicate cyber risk to their board?
TE: CISOs lack a common language for discussing cybersecurity risk with business executives. Board members are used to communicating in financial terms, and discussing how risks and opportunities translate to organizational results. While they may understand that cybersecurity is important, they don't speak the language of cybersecurity risk. When CISOs create board-level presentations, they use the tools and language available to them, resulting in more technical than business presentations. The end result is a disconnect between CISOs and the board. The board checks the box for 'monitoring cybersecurity,' but there hasn't been a meaningful conversation about risk.
If CISOs aren't able to prove that the money they're putting into the cybersecurity program is providing value to the broader business, they risk losing budget or leaving the company vulnerable to threats and compliance issues. In an extreme scenario, the CISO could even lose their job.
BN: Do you have any recommendations for how CISOs can best articulate cyber risk to senior management and their board of directors?
TE: CISOs often have limited time with the board, so it's important to use it effectively. Identify and report consistently on a set of metrics that matter to the business. Avoid reporting activity and focus on Key Risk Indicators. Wherever possible, report in financial terms. CISOs should use Cyber Risk Quantification (CRQ) to translate cyber risk into financial impact. By putting a monetary value on cyber risk, CISOs can help their board understand the financial impact that a potential cyberattack could have, obtain insight into the likelihood of cyber events over time, and measure the decrease in expected losses if problems are resolved. Scenario planning is also a powerful technique CISOs can use to create an effective cost-benefit analysis. For example, they can show their board how a $150,000 cybersecurity tool is protecting the business from a projected multi-million dollar data breach, resulting in significant savings over time.
CISOs should also encourage their board to bring on a cyber expert. A board member with strong cybersecurity awareness and background can help support the CISO by amplifying the importance of their cybersecurity investments and effectively responding to questions.
BN: What types of metrics should CISOs be monitoring to communicate risk?
TE: To monitor the effectiveness of their solutions and processes, demonstrate the value of security expenditures, and assess their security team’s performance, CISOs must set specific metrics. The following metrics can help CISOs show their board the numbers that truly matter, rather than getting too wrapped up in technical details and data, and ensure the conversation is kept at the right level"
- Benchmarking: One of the best ways for a board to understand risk and expenditure is through comparison. CISOs should monitor their competitors’ and peers’ cyber health to evaluate where their cybersecurity posture stands in comparison.
- Quantified risk: As mentioned above, reporting in financial terms is key. Anytime a specific risk is being discussed at the board level, the CISO should be able to present risk, probability, and potential cost.
- Third-party risk: Monitoring the security posture of their own vendors and their vendors’ vendors will enable CISOs to assess whether their organization is susceptible to third-party risk. Security ratings platforms can put a numerical value on their business partners’ and prospects’ cyber hygiene.
- Compliance: Most organizations are subject to multiple cybersecurity and privacy compliance standards. The board should see a summary report of compliance status because non-compliance can result in material fines.
- Incident Response: Incidents happen, and they need to be addressed. Avoid measuring activity here and focus on risk-adjusted results. Identify a meaningful metric that’s better than mean time to recovery (MTTR).
- Personnel: Insider threat is a material problem and monitoring organizational turnover is one way to identify risk. The cybersecurity team itself is a key component for success, so reporting on team health is relevant as well.
Photo Credit: Pixelbliss/Shutterstock