One of the most significant challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that goes on once the program is in place. We are starting to see CEOs’ bonuses contingent on cybersecurity progress, but the technical nature of cyber for most business leaders can seem daunting. In this series, I’ll be outlining what information CEOs and business leaders need from security programs to effectively report cybersecurity to board members on the state of their cyber posture.
FUD FUD FUD
The concepts of fear, uncertainty, and doubt (FUD) are practical tools when developing a proactive program like cybersecurity - when used sparingly. In most cases, Boards and CEOs are most concerned with not ending up in the headlines, along with the likes of Colonial and JBS. Contextualize the function of your cyber program with these headlines to help the Board understand why the enterprise needs this program urgently.
Cyber has to be demystified to get your board invested in cybersecurity. It needs to be framed as a business component. The board should know that an effective cybersecurity program will keep your business running seamlessly and is not just draining your company's resources.
Pull In Your CISO
No one knows cybersecurity strategy and risk management like your CISO. They have been in the trenches and understand the ins and outs of the technical aspects of your organization’s security and risk. When reporting on cybersecurity progress, there is a symbiotic relationship between the CEO and CISO that needs to develop. CISOs are typically more technical and risk getting lost in the weeds when reporting on cyber posture to the Board of Directors. The CEO can be a good filter for what is relevant and unnecessary for that context. A risk-aware CEO can distill cyber information and frame it in a relevant lens for board leaders. CISOs can help bridge the gap between technicians and the CEO and business leaders - helping explain the more technical side to the CEO in anticipation of explaining it to the Board. When invested in, this relationship can help keep the organization secure and ensure business growth through technology.
What Threats Matter To Your Organization
Following a high-level overview of the general threats that face any organization, get more specific. Risk aversion is not the same as risk-first. Risks are not inherently damaging, and some risks need to be taken for a company to grow. Collaborate with your CISO to understand what risks are specific to your organization - are you a healthcare organization that faces attack threats through connected devices and high regulations around personally identifiable information (PII)? Or are you a tech company that needs to focus more on data privacy and protection and faces brand and reputational threats?
Communicating existing risks encourages “shared risk-taking” between c-level executives and board members. Accounting for operational, financial, security, and supply-chain risks - CEOs have to be transparent with existing threats to deal with them effectively and gain enough support and cyber-investment from the board. A risk-aware board can align cyber risk with business objectives and goals.
You need to determine if your information security’s risk and compliance tool automates risk reporting. In CyberStrong, we offer a suite of executive-focused risk reports ranging in levels of granularity. In this case, focus on an executive-level risk report - the CyberStrong Executive Risk Report shows the top three risks facing the enterprise.
For greater context, FAIR risk quantification is used to quantify your security posture in financial terms. Using this quantitative method, CEOs and CISOs can identify the components of the measured risk and determine the economic impact of this risk exposure. The transparency and ease of reporting with the FAIR model will enhance board-level reports and provide actionable insights.
Articulating Risk Appetite
Your board’s interest in cyber needs to meet the current risk appetite of the organization. As enterprises continue to welcome new technology, they also embrace new risks to the organization. A CEO needs to understand the volume of cyber risk for an aggregate level. Risk management tools increase the organization’s visibility and automate many menial tasks that cyber teams are critical to reporting to the board. Specifically, solutions help quantify risk in the same way that a CFO quantifies financial risk or a CEO and Board can quantify strategic risk.
Rolling cyber risk into an organization's overall risk appetite statement helps CEOs report up and manage down - Board members understand how cyber fits into the organization’s risk profile and how that drives progress. CISOs and cyber teams understand the risk tolerance that the CEO and Board will allow to pursue growth with an agreed-upon risk appetite.
Cybersecurity Program Maturity
Especially when a cybersecurity program is new, it is critical to ensure that CEOs can benchmark and track progress as the program matures. This is where CEO bonus contingencies come into play - if the cybersecurity organization does not track progress, it becomes increasingly difficult for a CEO and CISO to sift through and retroactively determine progress. Developing a risk register will enable your CEO and CISO to track and identify cybersecurity risks in a centralized place that other business units can also refer to. Your risk register should be used to create an inventory of potentially adverse events, with the likelihood, impact, and description of an event.
Some tools exist that automatically generate a cybersecurity maturity score based on the maturity model you want to use. For all those involved in cybersecurity board reporting - CEOs, CISOs, and cybersecurity teams - this level of automation can increase transparency and save volumes of time.