When it comes to information security and stressing the importance of cyber risk management, getting the whole company (especially the C-suite) on the same playing field becomes paramount. There’s no question that when diving into it for the first time, starting a cyber security business plan can be daunting. There are countless acronyms, concepts, and approaches that can be difficult to wrangle into layman’s terms. There becomes this struggle of trying to explain these nebulous concepts while emphasizing the significance of mature risk posture and proactive security strategies to keep the company’s assets and their clients secure.
With the ever-changing landscape of cyber risk, how can security teams demonstrate the business value of security programs? How can CISOs underline the importance of correct procedures that need to be followed company-wide?
Benefits of Cybersecurity Investments Must be Framed Around Enterprise Goals
Historically in Boardrooms, when cybersecurity is brought up, it’s not presented as a solution. Instead, it falls under the category of a necessity that we throw money at and see no returns from’. Organizations typically want to spend as little time and resources on cyber strategy as possible, despite the repercussions and risks associated with bare minimum compliance and reactive risk management. If companies are looking at cyber initiatives after a sensitive data breach, they’re only managing the fallout and not the root of the issue. It leaves everyone wishing they had invested more in this area when clients and customers flood their inboxes with angry messages and stocks plummet.
This problem is further exacerbated by the fact that much of the language surrounding cybersecurity is negative. It becomes this damaging, circular way of framing cybersecurity initiatives that only focus on what the company has to lose in a breach, whether that’s money, time, or employees. CISO’s, who are often put in difficult situations even without breaches, are reluctant to bring up concerns in the boardroom because when cybersecurity strategies are brought up, it’s hardly ever a pleasant topic that fosters productive discussion.
When looking at the common ground between C-suite executives and infosec, financial projections and language seem to be the key. Gartner suggests that one of the best ways to outline the information, risks, and stakes in an easily digestible way is by emphasizing Integrity, Investment, Insurance and assurance, and Indemnity.
Discussing integrity highlights the benefits of improved confidentiality, availability, and accuracy of business information and processes. Bringing attention to the investment made gives security professionals a way to pinpoint what proactive cyber risk management can bring to the table in regard to return on security investment (ROSI). Insurance and assurance address the risk management benefits from an increased insight into the information risk factors the organization faces. Lastly, discussing indemnity opens the conversation with stakeholders to improve awareness, accountability, and greater stakeholder engagement.
Define and determine risk posture
As digital transformation creeps in on every industry, cybersecurity has changed, and the approach to risk management needs to change with it. When looking at strategy, it’s not productive to evaluate stances in terms like “bad cybersecurity practices” or “good cybersecurity practices”. There is a nuanced scale in the industry, and situations don’t tend to lend themselves to be so black and white. Instead, it’s more beneficial to address posture in terms of maturity and assessing an organization’s risk appetite. If organizations are too risk-averse, they limit their growth, but if they don’t take threats into account and only do the bare minimum compliance, they leave themselves vulnerable to breach. It is imperative that organizations consider cyber security in their business model.
Taking a risk based approach to your information security budget is an excellent place to begin. According to Gardner, “Risk management begins with self-awareness. What does risk mean to the organization? What level of risk is the organization comfortable with as it pursues its larger aims? Organizational leaders often don't understand the institution's risk appetite. Eliminating risk is impossible; even if it were not, it would be undesirable. The flipside of risk is opportunity; without risk, there is no "business." The key question is: "What is the right amount of risk for 'us'?”
Part of the c-suite responsibilities revolves around continuously addressing and monitoring these questions because, unfortunately, it’s not something that can be asked and answered once and never again. The nature of cyber and the internet is so dynamic that it can never be a one-and-done sort of thing. However, it can be made easier with AI-assisted continuous control monitoring or real-time threat assessments that take advantage of natural language processing to do away with the manual aspect of spreadsheets to monitor compliance. CyberStrong’s platform offers these integrated risk management solutions.
Drive home the value proposition added and control the narrative
When discussing cybersecurity in boardrooms with easy to relate to financial language, it’s important to tell a story that displays the ROSI the company gains with a mature approach to risk management. To begin the conversation, CISOs can craft a narrative that will resonate with executives by starting with the value added at specific points in their process, it’s easier for those outside of the cybersecurity industry to grasp the concepts of cyber risk management and the value it adds.
For example, if a company provides pet supplies to customers all over the country, demonstrating the value of and importance of risk monitoring could look something like this: a customer comes to their site from a vet recommendation. They order prescription food to be delivered to their house. The approval for the food goes back to the vet from the pet company (possible breach risk, value added by threat monitoring). The customer pays for the product through a secure payment app that saves their data for next time (possible vulnerability, value added by threat monitoring). The company saves the customer’s email to deliver order updates and tracking (possible vulnerability, value added by mitigation and monitoring).
By presenting a tangible narrative for organizations to connect to, CISOs can demonstrate how many aspects of the operation are left vulnerable due to poor risk management. It can also establish what the organization has to gain by being proactive and investing in the right programs to keep their data as secure as possible, keeping their client’s trust in the process.
With an intentional approach to communication with C-suite executives, security officers can create a company-wide culture of risk management with an easily relatable narrative to reinforce it.