In his predictions for 2019 Deloitte CEO of risk and financial advisory, Chuck Saia, harped on the necessity for compliance and risk professionals to involve business leaders -
Saia noted that today only 30% of CEO's and board members were highly involved in their organizations' security programs. However, by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today's 40%. (Gartner).
"To engage senior leaders, the CIO and CISO should develop business-focused cyber risk reporting, rather than overly technical reports with a focus on business impacts and risks,"
Chuck Saia, Deloitte CEO of Risk and Financial Advisory
With cybersecurity rapidly becoming a board-level issue, many CISOs are faced with the same level of inquiry and scrutiny of a CFO or CEO. Cyber is no longer an abstract concept that can be assessed with the question ‘are we secure’ and a brief ‘yes’. According to Gartner, successful CISOs are leaders, communicators, and managers and all CISO’s need to be prepared to convey the progress their organization is making to ensure the enterprise stays secure as it continues to grow.
Shifting the conversation from high/low risk to good/bad risk
The issue many CISOs
Effective CEO’s are trained to take the right business risks to drive growth. In order to get buy-in from their CEO, a CISO must reframe the inherent risks of new initiatives from a high/low model to a good/bad risk model. This shift requires a CISO to align their activities with business goals - instead of assessing risk through the lens of likelihood and impact, the good/bad risk framework looks at through the lens of value and appetite.
71% of non-IT executives said that concerns over cybersecurity are impeding innovation in their organizations - Gartner
Don’t be seen as an impediment to business progress - by aligning cybersecurity activities with business goals and taking a good/bad risk approach, you can effectively communicate the impact of new initiatives and help non-IT executives understand the inherent risks.
The 4 Reports To Effectively Communicate With Key Stakeholders
As enterprise stakeholders take an increasing interest and concern about the security posture, the CISO needs to be able to convey their activities and success as effectively as a CFO can with a balance sheet and statement of cash flows. There are four recommended reports necessary to help you align your activities as a CISO with the goals and objectives of the enterprise: Executive Risk Report, Trend Report, GDPR Report, Global Report.
Executive Risk Report
An Executive Risk Report delivers a high-level overview of the company’s risk. There are three critical breakdowns within the report: risk by threat type, risk by business impact, and the data protection triad (confidentiality, integrity, availability).
Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk.
The data protection triad reflects the number of controls implemented to protect each dimension. With emerging integrated risk management (IRM) systems like the CyberStrong platform, CISO’s are able to see each dimension in order of priority based on the number of controls employed for each. Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk.
A CyberStrong Executive Risk Report also delivers a risk report breakdown for control families. As CyberStrong is built on the NIST frameworks, this chart is delivered through the lens of NIST’s 800-30 breaking controls into detect, identify, protect, recover, respond. This chart also reflects the amounts of residual risk, remaining risk, and mitigated risk.
Finally, a CyberStrong Executive Risk report includes a more granular breakdown of the risk posture by control family. Each family is assigned a CyberStrong score which impacts the risk scoring itself. Unlike the charts above, this table breaks the categories of risk down further: inherent risk (total risk by family), residual risk (
The CyberStrong Trend Report uses CyberSaint’s patented technology to deliver a CyberStrong score - a rollup of all assessments in the environment and the number of active assessments ongoing. Further, the Trend Report shows the number of assessments and controls updated and number of users logged in in the last week. This report will help you display the ongoing progress your organization is making to keep the enterprise secure and is a perfect jumping off point to discuss more granular activities with non-technical stakeholders.
The CyberStrong Trend Report also includes ore granular tables to show the strongest and weakest points in each active assessment. As with the granular table in the Executive Risk Report, these tables use the CyberStrong score combined with a breakdown of inherent risk, residual risk, remediate risk, and opportunity. These breakdowns will help by revealing weak points in specific control families and help you and fellow senior leadership prioritize remediation.
The CyberStrong Trend Report also delivers overviews of progress on assessments and updates made to controls in one month, three
General Data Protection Regulation (GDPR) has been a Board level concern since its enactment in May 2018. As seen with Facebook, the first major infringement, in September 2018 GDPR is a critical concern from both a security and business standpoint. The CyberStrong GDPR Report uses CyberSaint’s list of controls and actions to ensure compliance and increase visibility into GDPR posture on an ongoing basis.
Reflected in a radar graph comparing the enterprise's posture against the GDPR standard, CISO’s and stakeholders get fast insight into their compliance.
The radar graph is followed by a granular table as seen in the Trend and Executive Risk Reports. This table delivers a deeper view of each control family, matched with a CyberStrong score, and breakdowns of inherent risk, residual risk, remediated risk, and opportunity.
The CyberStrong GDPR Report also delivers completed and comprehensive breakdowns of each control necessary for GDPR compliance.
GDPR marked the first legislative correlation of cybersecurity and business operations - and was a very public call to align business and security strategies. The CyberStrong GDPR Report allows CISO’s to easily deliver an in-depth review of their enterprise’s GDPR posture to key stakeholders across the organization.
The fourth critical report necessary to reflect a CISO’s alignment with business strategy is a complete Overview Summary. A CyberStrong Overview Summary provides a complete report into an enterprise’s entire assessment environment
Highlighted throughout the overview is the CyberStrong score (using CyberStrong’s risk model) - the first being a roll-up score of all active assessments ongoing. The following table delivers a brief overview of each ongoing assessments, their progress to date, the CyberStrong score, owner and when it was last updated. For CISO’s delivering information of ongoing progress to the CEO and stakeholders, this table is critical.
Similar to the Executive Risk Report, the Overview Summary also delivers bar chart breakdowns of risk report for business impact, risk report for threat type and data protection priorities for the data protection triad.
The Overview Summary also delivers a CyberStrong score, a framework description, and
The most comprehensive report necessary for CISO’s, the Overview Summary gives stakeholders a deep view of the security posture of the enterprise and helps illustrate alignment of new business initiatives and the risks that arise as a result.
Cybersecurity increasingly becomes a Board-level matter, CISO’s need the ability to report on their progress and activities as efficiently as a CFO can with a balance sheet and statement of cash flows. The four compliance and risk documents (Executive Risk Report, Trend Report, GDPR Report, and Overview Summary) do just that - these reports empower a CISO to effectively communicate their operations to the CEO and Board. With a shift from a high/low to good/bad risk mindset, a CISO presents themselves as what they always were - an asset to business operations.