A CISO is responsible for many things in an enterprise. They are in charge of establishing security and governance practices, identifying security objectives, enabling a framework for risk-free business operations, and are responsible for reporting on cybersecurity to the Board of Directors. In order to be successful in their operations, the CISO needs to communicate effectively with the Board to ensure a proper understanding of cybersecurity and risk exposures as well as proper resources and funding to build out and maintain their security program.
Over the past two years, cybersecurity professionals have had to contend with increasingly dangerous ransomware and cyber attacks, the effects of the COVID-19 pandemic, and a changing regulatory landscape. This has not exactly prompted the change that was needed.
“Things seem to be where they were five years ago,” explained Kevin Powers. “Board of Directors understand that security is not a technical issue, it’s a holistic approach that’s needed to move forward, but we still seem to be where we were five years ago.”
There is a clear communication gap between CISOs (including other security and risk staff) and the Board. Learn how the Board understands cyber and how their perceptions have changed recently in the STRONGER keynote event, Modern-Day Cybersecurity Governance: Enabling Cybersecurity from the Top Down. Padraic O’Reilly and Kevin Powers sit down to discuss the roadblocks to understanding that Boards experience when receiving security reports and how to improve CISO delivery to the boardroom.
The Boardroom is Slowly but Surely Learning
According to the Gartner 2020 Board of Directors Survey, the second-highest source of risk is cybersecurity-related risk. And by 2025, 40% of boards will have a committee dedicated to overseeing cybersecurity. Understanding that cybersecurity is a top concern for businesses is just the first step for boardroom leaders. They realize that cybersecurity is imperative for their business health but what that entails can be difficult to grasp.
The Board’s responsibility is not security or management, it’s fiduciary care. It’s important for CISOs to acknowledge this so that they can frame the conversation with greater relevance to the duties of the Board. Risk has to be presented in dollars and cents. By driving the conversation around the fiduciary aspect of risk, the board is more likely to engage with the presentations and show more interest in buy-in.
“You can’t lead off with tech metrics, tech is not easily digestible,” said Powers. “Put your presentation no matter how complex it is so that an eighth-grader could understand and comprehend it. That’s what you need to do if you’re going to the boardroom.”
CISOs and Security officers have to understand that security, privacy, and tech are not easy topics for the Board. The cyber threat landscape can be quite complex if they aren’t presented in an efficient manner. The Boardroom can learn to understand and prioritize risk if both parties can work to bridge this communication gap.
The CISO needs to explain the foundations of the cyber posture first. They should explain what practices are in place, what can be improved on, what their competitors are doing, what is the gap analysis and why. If CISOs can present a bold and relevant business case, they will pique the Board’s interest.
“We need to understand our cyber posture in simple terms, that was really the whole mission of the cybersecurity framework - to humanize it in a way,” explained O’Reilly. “It was to, sort of, make cyber into a practice, use the several frameworks to socialize risk and one of the ways for a CISO to go about it is to use dashboards.”
CyberStrong’s Governance Dashboards can be used to socialize risk and present hyper-granular risk data as dollars and cents. CyberSaint’s governance capabilities can explain and identify risk in clear business terms by segmenting the data by business unit, location, and asset type to illustrate gaps at all levels of the enterprise. Security leaders can engage leadership and executive management by displaying the likelihood and impact of risk and compliance through these dashboards.
“You can do a lot of good work for your leadership and your board if you can help them rationalize the risk exposures in dollars and cents,” said O’Reilly.
What Should CISO Presentations Accomplish
As the ambassador for security at the enterprise, CISOs need to establish what cyber security is every time they speak with the Board. They need to explain the differences between cybersecurity and privacy but also how they relate to one another.
“They really need to take this initiative and understand that if they want to get buy-in, if they want to get more money and resources, they need to go in there and really pitch strong,” said Powers. “They need to make it clear that cybersecurity is not just the opposite of privacy but that it’s everything. Privacy ties into cybersecurity.”
Board leaders need to understand that cybersecurity includes technology, business operations, and information security. They need to know how you manage the data protection, what you can do with it, who has access to it, and what are your rights to the data. With the CCPA, GDPR, and China’s new privacy law, there are numerous regulations that leaders need to contend with, and there are conflicting aspects of the laws.
In order to manage, leaders need to first gain a complete view of the regulatory landscape and understand each particular standard before performing risk assessments for cybersecurity. Security leaders will have to work with lawyers to analyze the risks associated with following certain laws.
“Your risk is basically comprised of how you do the things you do with respect to the standards, regulations, and security you have,” said O’Reilly. “It’s all interconnected."
The issue with many legacy products is that they do not link the individual action items in that standard to risk. The interconnectedness of cyber risk needs to be emphasized in board presentations.
Improving CISO Presence & Delivery in the Boardroom
There’s been a market shift that puts risk front and center. As mentioned earlier, Board Members recognize that a holistic approach is necessary for their enterprise. They’re looking to understand where they stand in respect to ransomware, DDoS malware, and what can be done to get out of a reactive mentality. With a siloed-reactive approach, companies are barely getting their heads above water before another breach occurs.
“The shift is happening,” said O’Reilly. “Even with commercial and mid-size companies, they come to me and say we really need to talk dollars and cents upstairs around risk. Every enterprise conversation is we have to do risk across all our business units.”
Cybersecurity is becoming a top-of-mind concern for board members and now is the time for CISOs to capitalize on the growing interest in cyber risk. Powers explains that cybersecurity needs to be explained in a way that is not too granular or high-level. CISOs need to engage with the boardroom and emphasize an enterprise-wide risk approach.
Security leaders can present their cyber program, how it works, and how it corresponds to the six steps of the NIST Risk Management Framework (RMF), but it has to be explained in plain language, almost conversational. The Board has to first learn how the program is structured and where all the data is mapped and measured.
Once CISOs have established what the program is, they need to provide information about competitors. The Board will always ask about how they rank against their competitors. CISOs need to readily provide information on what response is available to them according to their budget, what other companies of similar size do, and what can be improved upon based on their competition.
The next aspect CISOs need to present are the gaps in their approach and how to mitigate them. There may be more than one way to handle the gaps, and some companies might be willing to accept a certain amount of risk in some areas in order to address gaps in others that might be hit harder.
Using a platform like CyberStrong automates cyber risk assessments and provides real-time risk quantification. By getting out of spreadsheets, security leaders can provide comprehensive information on management and have a central system of record to refer to with their risk management process. CyberStrong allows security and risk leaders to illustrate changes in cybersecurity and inform members on Return on Security Investment (RoSI) across risk management initiatives to help make informed decisions.
The last piece is where you need to go, and what will be the future of your cybersecurity program.
“Your programs are never going to be done. You’re always building and going forward with the regulatory requirements coming out,” explained Powers. He states that based on your company’s unique risk and the regulatory laws, you have to keep building on your unique risk in order to be able to pivot in a time of cyber crisis.
An important thing to underscore during CISO presentations is avoiding a complete compliance approach. Compliance does not necessitate security. A matured security approach involves compliance, best practices, and adhering to a risk framework. By taking a gradualist approach in presentations, CISOs can engagingly teach board leaders and motivate them to invest in security. Dedicating the time to build this foundational understanding will drive board members to want to learn and then down the road CISOs can begin to present the more granular metrics.
Cyber is a Business Function
Cyber and business are interconnected. These two aspects will continue to impact each other as cyber hacks grow more malicious and stricter regulations roll out. For board members, their priority is to run the business.
“We cannot be Doctor No all the time,” said Powers. “We [CISOs] have to help you with your efficiencies, help you get your job because if we don’t, we’re going to work around each other which will cause a breach.”
In order for CISOs to enable governance from the top down, they have to engage and teach the board members about security. It is not enough to just tell members about the program, there has to be a conversation around security. Using a gradualist approach to engage members in CISOs presentations and governance dashboards will make it easier for board members to understand and follow.