With high profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front row seat to the impact that cybersecurity can have on an organization’s bottom line. CEOs and Boards of Directors are growing increasingly concerned about the risk that poor cybersecurity posture poses to the enterprise in general. CISOs must deliver effective reporting to senior leadership but business side leadership needs to be prepared to ask for what they need.
Rolling Cybersecurity Risk Into Overall Risk
Of the business-side leaders that I’ve spoken with, the greatest challenge is understanding how this new configuration of cyber threats fits into the existing risk profile of the enterprise. CEOs and board members are incredibly adept at managing other forms of risk, yet cyber risk management appears to be a whole different challenge. Managing cyber risk as part of the organization’s overall risk profile, though, need not be as daunting as some think it is.
What To Ask Of Your CISO
As CEOs begin to start engaging with their information security leaders more, they need to make sure they’re asking for the right information to ensure success for both parties. Just as a CFO can produce financial risk models to empower decision making, so too can CISOs develop cyber risk models that do the same. The biggest thing that business leaders need to emphasize in this conversation is ensuring that their CISOs are employing the right risk modeling frameworks to be of value to both technical and non-technical stakeholders. There are multiple cyber risk frameworks out there but any framework is only as good as the decisions it helps facilitate.
Security Posture and Incident Response
In today’s world breaches and incidents are a matter of when not if. Whether looking at Marriott or Equifax, the world turns to the CEO when these incidents occur and expect answers. Traditionally cybersecurity programs have been secluded and misunderstood by business leaders. The more I speak with business leaders the more I’ve seen that siloing cyber without engagement from senior and business side management the greater the negative impact when a breach does occur. In varying degrees, oversight of cyber risk must be rolled up to the CEO and the Board with the more technical CISO guiding a cybersecurity strategy that empowers business growth.
What CEOs Need
CEOs and senior level business leaders need to not only be aware of their organization’s cybersecurity program but also have a high-level sense of the effectiveness of the organization. Whether in the form of an Executive Risk Report or otherwise, business leaders must be able to understand the overall cybersecurity posture of the enterprise.
It’s Not Just In The Event Of A Breach
CEOs and other senior leaders are nine times more likely to be the target of a social cyber attack. When commenting on the recent Verizon report, CyberSaint CEO George Wrenn said
The drastic increase in social attacks on C-level personnel points to the increased demand for cybersecurity awareness in the C-suite. More and more we are seeing information security leaders brought into business side discussions to provide cyber-focused insights and feedback on business strategy. The flywheel effect at work – involvement of cyber leaders and increased awareness in the executive suite – has an ongoing positive effect, a necessary change given that personnel, as well as systems, are under attack.
CEOs business leaders need to be cyber aware not only in the event of a breach but because they are a highly targeted point of entry for a breach or worse.
Understanding Cyber Is Paramount To Business Success
The greatest risk facing many business leaders today lies in cybersecurity - as all organizations are faced with embracing new technologies to survive, CEOs can no longer be cyber unaware. The first step is engaging with information security leaders within your organization - start with the risks that can impact you specifically (phishing, for example), and expand your knowledge further. In tandem, collaborate with your CISO to ensure that the cyber risk metrics that they deliver fit into your existing risk structures for other facets of the enterprise - they want to deliver value as much as you want the information. In all, ensure that your organization is performing and secure while also knowing how to measure those success metrics.