In a world where the day’s headlines are increasingly dominated by news of the most recent data breach due to lightning-fast digital transformation that is constantly expanding the attack surface and a world where the threat landscape poses greater and greater challenges, the threat to businesses—both to brand and bottom line—continues to grow.
The result is that cybersecurity is front and center for not only the executive suite but also the corporate board of directors. Past days when cybersecurity resided within the IT department and only ascended out of its technology silo in the event of a data breach or operational outage due to a malicious attack are gone.
According to a survey by the National Association of Corporate Directors, 58% of corporate board members at public companies believe that cyber-related risk is the foremost challenge they are facing.
CISOs are expected to keep these key stakeholders informed in a way that is delivered in the language of business and in line with strategic business objectives. “Boards have awoken to the impact that cyber threats can have on the business,” says Craig LeGrande, the CEO and co-founder of Mainstay Company, a consulting organization focused on helping businesses to measure the business value of technology deployments. “They want to understand, measure, and track the risk cybersecurity poses to the business.”
Beyond the potential impact to the business, boards are finding they are being held accountable for maintaining adequate controls to protect critical data and assets.
According to Mainstay's LeGrande, 'boards have awoken to the impact that cyber threats can have on the business. They want to understand, measure, and track the risk cybersecurity poses to the business.'
So, how are they doing? Not very well, if you take the word of corporate boards.
Less than 15% of directors say they are “very satisfied” with the quality of cybersecurity information they receive from management. And conversely, while nearly all CISOs (over 90%) want to align their security strategy with business key performance indicators (KPIs), nearly half (46%) feel they cannot accomplish this.
Much of that feeling of unpreparedness is rooted in a reality where many CISOs are technologists who have ascended from an IT background where they were measured based on their hard skills capabilities. This pedigree falls glaringly short in an environment where 85% of skills listed by employers in CISO job ads are soft skills.
Thus, when it comes to communicating with and reporting cybersecurity measurements to the board, many CISOs are poorly equipped. Their background as technologists inhibit rather than enable their ability to translate security into something that is meaningful to the board.
Due to the fact that many CISOs grew up as technologists, when it comes to communicating with and reporting cybersecurity measurements to the board, they are poorly equipped for the undertaking.
The reality is that meaningful cybersecurity conversations with the boards are not taking place in too many instances. For example, only half of board members indicate they have discussed their organizational reputation in the past year, and almost half cannot identify events that would damage their organization’s reputation.
So, what are some of the things CISOs can do to align their cybersecurity strategies with the goals and objectives of their boards?
While the cybersecurity approach an organization takes varies depending on the nature of the business, one universal remains: all boards want security details around issues starting with risk. The overarching question is how risk is measured when it comes to vulnerabilities and exploits.
As a recent Financial Services Roundtable (FSR) discussion substantiated, there is no magic set of metrics that CISOs should universally be using to monitor and evaluate cybersecurity risk. However, choosing data points that are both relevant for your industry and aligned to key performance indicators is a must.
Focus on the metrics that truly demonstrate effectiveness and impact and be sure to clearly track and report on status, illuminating how change has happened over weeks, months, and years.
Additionally, security leaders need to avoid getting bogged down in the minutiae of operational data, such as how many viruses were quarantined or patches were implemented. Leave these volumetric insights behind and rather develop a strategic narrative pegged to the organization’s big-picture goals.
Data must be validated based on industry-accepted frameworks, such as the National Institute of Standards and Technology (NIST) and ISO 27001 standards, and include peer benchmarking. While it is critical to tell a narrative when communicating security measurements, CISOs must ensure they do so by using objective, quantitative evidence.
Similarly, never lose sight of the fact that board members approach issues with a financial and legal set of lenses; the majority of members may be dollars-and-cents professionals from the worlds of finance and legal.
For cybersecurity, their primary concern revolves around the level of risk facing the organization and what is being done to mitigate that risk. Investor confidence and reputational damage (and the stock prices they affect) remain top of mind—as does ensuring the company avoids any devastating legal or regulatory compliance missteps.
Mainstay’s LeGrande notes that cybersecurity must be evaluating in terms of the measurements that make sense to the board. “CISOs should focus on risk mitigation in the context of how it can catalyze business and contribute to the health of the overall organization,” he says.
'Not only should an organization develop a cybersecurity approach that enables business strategy, but it should measure the likelihood of a security event taking place and calculate how that risk translates into financial impact.'
For example, think about this in terms of digital transformation and the wealth of new opportunities it is creating. From cloud adoption to mobile expansion, evolving technologies are enabling business to become more agile, more scalable, and better positioned to expand revenue and drive operational efficiencies in unprecedented ways.
However, as Fortinet’s 2018 Security Implications of Digital Transformation Report brings to light, 85% of organizations indicate that security concerns stand in the way of capitalizing on these new opportunities.
As a CISO, tying cybersecurity strategy and risk response plans to the business impact that results from leveraging these new technologies is exactly the kind of enablement boards value.
To gain a deeper understanding of the corporate board’s priorities, Executive Director of the National Cyber Security Alliance (NCSA) Russ Schrader recommends that CISOs speak to others who have presented to the board before to better “know the room.” As he says, “You’re not the first person to ever report to the board. Figure out who these people [the board members] are, how they’ve reacted to presentations in past, how they want to be talked to, and how technical are they.”
Knowing who is in the room and 'what makes them tick' is invaluable information that security leaders can tap when determining what to measure and report and what not to measure and report.
The technical prowess of many CISOs may have propelled them up the ladder and into the security leadership role. But the realities of the advanced threat landscape and requirements from the board—and executive leaders such as the CEO and CFO—suddenly place CISOs in unfamiliar territory. Those same skill sets fail them when it comes to communicating with the board, many of whom do not have a technologist pedigree.
Speaking in the language of technology details and statistics leads to friction and undermines the CISO’s efforts to communicate in a meaningful manner with the board.
An important starting point should be to talk in language that coincides with the business and risk metrics that are understandable to business executives and board members. Due to news headlines about one cybersecurity debacle after another, board members doubt their organizations are immune from cyberattacks.
37% of board members feel confident that their organizations are properly secured against a cyberattack.
CISOs must construct risk narratives that align with measurements that matter to their boards. One note of warning is needed here. Panic-mongering will not resonate with boards and can actually backfire. Instead, boards want actionable insights, meaningful business measurements, and definitive plans that address risks.
Some of the issues CISOs must address include:
Finally, with 96% of boards believing their organizations will fall to a malicious intrusion in the next year, CISOs must not only speak about protecting against malicious intrusions but also detecting and remediating events when they do occur.
A whooping 96% of board members believe their organizations will experience a malicious intrusion that results in data theft or operational outages.
Data privacy and user confidentiality are no longer just buzzwords batted around a meeting attended by IT and security staff. Indeed, at a global level, governments are stepping up and implementing more stringent regulatory policies, such as the EU’s General Data Protection Regulation (GDPR), and issuing more frequent pronouncements that place a greater “duty of care” on boards.
Additionally, it is important to remember that regulations extend beyond protecting data and personally identifiable information (PII) in the case of operational technology (OT). This includes compliance with standards such as the North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), International Electrotechnical Commission (IEC) 62443, International Society of Automation (ISA99), and ISO 27001.
To understand the ramifications of security compliance requirements, boards look to their CISOs with the expectation that they can translate those into language the business apprehends—including track and report. At an operational level, boards often want reassurance that CISOs are proactively addressing compliance requirements. This requires transparent visibility across each of the security elements, including a data map of the organization’s information landscape, monitoring and management of access pathways, and identification of infrastructural gaps.
Boards look to their CISOs to help them understand and monitor the implications of security compliance requirements. CISOs must speak the language of the board when doing so and avoid putting on their 'technologist hats.'
The intertwining of the network and security also necessitates an integration of network operations centers (NOCs) and security operations centers (SOCs). This enables CISOs to deliver a single source of record (or truth) rather than disjointed datasets.
Much has been written on the cybersecurity skills gap. Two-thirds of organizations report they have an insufficient number of security professionals to address the challenges of the current threat landscape. According to Cybersecurity Ventures, there are over 1 million unfilled security positions today, a number expected to grow to 3.5 million by 2021.
CISOs who think they simply need to demonstrate the gap between their current risk posture and organizational risk tolerance to convince their boards to approve more resource allocations make a strategic mistake. Demonstrating good stewardship and a strategy to optimize workflows and processes through greater integration and automation is pivotal.
Boards think in terms of cost avoidance and reduction and operational efficiencies and productivity gains. “A critical starting point for any conversation about staffing resources with the board—or for that matter any executive leader—should begin with how organizations are reducing costs and improving efficiencies,” says Mainstay’s LeGrande. “This can sometimes be challenging for CISOs, who did not ‘grow up’ in environments where they had to employ total cost of ownership (TCO) models to justify program expenditures. Infrastructure and tool integration and automation can help security teams achieve significant scale.”
Mainstay's LeGrande explains that a critical starting point for a conversation about security staffing resources must start with how technology and processes are being leveraged to reduce costs and improve efficiencies.
For specific headcount requests, boards often want to know what security skills gaps exist and how those translate into potential risks. In addition, they want to know if those skills are also in high demand in the marketplace (thus the level of difficulty in filling the role) and if alternatives exist such as filling the function with a subject-matter specialist from a managed security service provider (MSSP).
CISOs who view their board interactions as an activity that happens only when the boards meet often find themselves in a constant state of reaction. Global 1000 CISOs agree, noting that nurturing relationships via informal meetings with select members of the board is critical to developing a mutual understanding around cybersecurity.
While boards may be experts on financial, sales, and marketing issues, many lack even basic knowledge of the cybersecurity realm. For example, a recent survey by the National Association of Corporate Directors reveals that only 19% of respondents felt that they had a high level of cybersecurity knowledge. This creates roadblocks when CISOs present to their boards—specifically, members do not have the foundational building blocks to confidently oversee the scope and implications of cybersecurity risk.
These educational gaps can be addressed by spending more time meeting with board members, both seeking their input and also educating them on cybersecurity challenges and requirements. Having board members spend time with security staff and time in the SOC can turn them into huge advocates and advisors—both in the boardroom and outside of it.
A critical part of working with the board for a CISO is educating them on cybersecurity and how to calculate the business impact of risks.
Including business executives such as the CEO, CFO, and COO in some of those conversations with board members can also help facilitate security-business alignment and build rapport with the board.
Sometimes, engaging a third-party subject-matter expert to help advise the board on cybersecurity issues can be fruitful. Utilizing this level of expertise is commonplace when boards are evaluating financial strategy—and accordingly, it can give the board a solid indication that a CISO is implementing an adequate cybersecurity program.