The need to communicate cybersecurity as a business function has always been prevalent, but now we see an increased board-level cyber involvement. Cybersecurity governance and risk have become a top-of-mind issue for C-suite executives and board leaders. With an evolving threat landscape and massive ransomware attacks, we see the bottom-line impact of fragmented and static cyber security management.
Being able to communicate an organization’s cyber posture is no longer simply a matter of securing more budget. With security breaches like JBS and Kaseya, cybersecurity and risk are directly impacting bottom lines and stock prices as any other business function within the organization. As the information security professional and leader, chief information security officers (CISOs) must prepare themselves to articulate their programs effectively and face the same scrutiny as other C-level executives.
What do CISOs care about?
The CISO role has often been misunderstood by business-side teams and used as a scapegoat for security lapses. However, cybersecurity teams adopt many frameworks that are also developed for business-side leaders. Regarded as the gold-standard framework, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was written to be utilized by business- and technical-side leaders. With the elevation of cybersecurity to a Board- and CEO-level concern, CISOs must employ frameworks and tools like FAIR risk quantification to bridge the gap and foster an enterprise-wide conversation around security and risk. Cybersecurity needs to be demystified in order for board members to understand the value of cyber investment and the urgency for cybersecurity maturity.
The Needs of the Modern CISO
A CISO is responsible for many things in an enterprise. They are in charge of establishing security and governance practices, enabling a framework for risk-free business operations, and reporting cybersecurity to the Board of Directors. In order to be successful, the CISO needs to communicate effectively with the Board to ensure a proper understanding of information systems, the importance of risk management, and the necessary investment for cyber maturity.
There are three main needs of the modern CISO: an integrated risk management strategy and continuous compliance approach, “glass-box” tools like FAIR risk quantification for transparent insights, and automated and standardized reporting.
Continuous Compliance and Integrated Risk Management
There aren’t many tools available in the market that empower organizations to integrate their cybersecurity approach or support continuous compliance. The half-life of assessment data is incredibly short - which is to say that the value of an assessment is only valuable as a snapshot of the organization at that point. With the rapid pace of innovation and technology adoption at any enterprise, annual (or at best quarterly) assessments are not an accurate representation of an organization’s cybersecurity posture at the time of reporting. The result is that decisions are made at the executive level using antiquated data, resulting in a lack of awareness and, worse, a lapse in security controls. Security leaders must employ a continuous compliance approach and, as a result, must shift the tools that their security organization uses.
Not only are continuous assessments necessary, but organizations that are still pouring over spreadsheets are also at an inherent disadvantage. Spreadsheets are clunky and time-consuming, they lack transparency, and the organization needs to track risks, controls, and remediation activity. Compliance is most likely invalid by the time you’ve reached the end of assessing your spreadsheets.
The other cornerstone of a modern security program is an integrated approach to risk and compliance. Too often do we see organizations using modular GRC tools that incentivize security organizations to stay siloed by design. Integrated risk management, IRM, reconfigures the GRC approach by using a risk-aware culture and enabling technologies that improve decision-making and performance.
For an organization to see relevant metrics that empower decision-making, they must use platforms that integrate all risk and compliance data so that leaders can see and understand the enterprise’s cybersecurity posture with the most up-to-date data possible. With an IRM approach, security leaders will have a risk-centric focus on cybersecurity that enables companies to meet compliance requirements as part of their practice.
Transparent Risk Quantification
When reporting out to Board- and C-level executives, security and risk leaders must start from a high level and be able to justify and explain the workings of their program. We are seeing in the market today an increasing number of black-box risk quantification tools that provide little to no insight into how these tools reach such metrics. Quantification methods that give ratings based on an ordinal level provide no actionable insights based on the results. Unclear quantification could prove catastrophic in a Board-level discussion if the person in the room positioned as the expert cannot explain a core aspect of their program.
CyberSaint promotes using “glass-box” solutions like the open-source NIST 800-30 risk assessment methodology, which is easily explainable to the Board and C-suite. The FAIR risk quantification model provides meaningful measurements in a dollar value. By assigning a financial value to security and risk and framed as a business objective, CISOs and Board executives can make informed decisions regarding information security and risk.
Unlike other risk quantification methods, FAIR breaks down measured risk by identifying the components and the relative impact. Data is broken down into two quantifiable categories; loss event frequency and loss magnitude. Based on these categories, the degree of impact and type of identified risk can be assigned a dollar value and then explained as potential financial loss due to exposure. Not only does FAIR advantage communication in the boardroom, this quantification method also improves risk communication across an entire organization.
Automating and Reporting
The assessment process is only as valuable as the data that your organization can report on and in doing so, enable business-side decision making and bridge boardroom results. Spreadsheets add an unnecessary tax on your cyber organization. For most teams, the greatest need for automation lies in post-assessment reporting. The lag between the completion of an assessment and delivering the report further outdated assessment data - the value of an assessment is only as good as a singular snapshot in time. Automating reports allows security organizations to produce up-to-date reports that spreadsheets and modular tools simply cannot.
Meeting The Needs of The Modern CISO
With the elevation of the CISO into more and more senior-level management discussions, the solutions they employ for their organization become all the more critical. Employing an IRM approach empowers leaders and practitioners alike to get a better sense of enterprise-wide cybersecurity posture. Using glass-box methodologies that produce easily explained metrics will help support Board-level discussions with actionable insights and frame cyber and risk as a vital business unit. Finally, using an integrated approach allows for greater automation at the post-assessment reporting level and helps empower CISOs to report and empower significant decision-making consistently.
To learn more about CyberStrong’s IRM approach and risk quantification capabilities for a mature cybersecurity posture, contact us.