One of the greatest challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that goes on once the program is in place. We are starting to see CEOs bonuses contingent on cybersecurity progress but for most business leaders the technical nature of cyber can seem daunting. In this series, I’ll be outlining what information CEOs and business leaders need from their cybersecurity programs to effectively report to the Board of Directors on the state of their cyber posture.
FUD FUD FUD
The concepts of fear, uncertainty, and doubt (FUD) are effective tools when developing a proactive program like cybersecurity - when used sparingly. In most cases, Boards and CEOs are most concerned with not ending up in the headlines along with the likes of Equifax and Marriott. Contextualize the function of your cyber program with these headlines to help the Board understand why the enterprise needs this program.
What Threats Matter To Your Organization
Following a high-level overview of the general threats that face any organization, get more specific. Collaborate with your head of information security to understand what threats are specific to your organization - are you a healthcare organization that faces attack threats through connected devices and high regulations around personally identifiable information (PII)? Or are you a tech company that needs to focus more on data privacy and protection and faces brand and reputational threats.
In these specific cases, determine if your CISO’s risk and compliance tool automates risk reporting. In CyberStrong we offer a suite of executive focused risk reports ranging in levels of granularity. In this case, focus on an executive level risk report - the CyberStrong Executive Risk Report shows the top three risks facing the enterprise.
Articulating Risk Appetite
This is where the Board’s interest in cyber needs to meet the existing risk appetite of the organization. As enterprises continue to embrace new technology, they are also embracing new risks to the organization. A CEO does not need to know every granular technical threat to the enterprise, what they do need to understand is the volume of cyber risk for an aggregate level. Risk management tools that increase visibility through the organization and automate many of the menial tasks that cyber teams are critical to reporting to the board. Specifically, solutions that help quantify risk in the same way that a CFO quantifies financial risk, or a CEO and Board can quantify strategic risk.
Rolling cyber risk into an organization's overall risk appetite statement helps CEOs report up and manage down - Board members understand how cyber fits into the organization’s risk profile and how that drives progress, and CISOs and cyber teams understand the risk tolerance that the CEO and Board will allow to pursue growth.
Cybersecurity Program Maturity
Especially when a cybersecurity program is new, it is critical to ensure that CEOs can benchmark and track progress as the program matures. This is where CEO bonus contingencies come in to play - if the cybersecurity organization does not track progress, it becomes increasingly difficult for a CEO and CISO to sift through and retroactively determine progress. There are tools that exist that automatically generate a cybersecurity maturity score based on the maturity model you want to use. For all those involved when it comes to cybersecurity board reporting - CEOs, CISOs, and cybersecurity teams - this level of automation can increase transparency and save volumes of time.
Pull In Your CISO
No one knows cybersecurity strategy and risk management like your CISO. They have been in the trenches and understand the ins and outs of the technical needs of your organization for security and risk. When reporting on cybersecurity progress, there is a symbiotic relationship between the CEO and CISO that needs to develop. CISOs are typically more technical and run the risk of getting lost in the weeds when reporting on cyber posture to the Board, and the CEO can be a good filter for what is relevant and what is not necessary for that context. CISOs, though, can help bridge the gap between technicians and the CEO and business leaders - helping explain the more technical side to the CEO in anticipation of in turn explaining it to the Board. This relationship, when invested in, can help keep the organization secure as well as ensure business growth through technology.