Most individuals on the board of directors for organizations are not cybersecurity experts. However, they are likely very aware of the global events going on in this tumultuous time of continued disruption by the Covid pandemic, the war in Eastern Europe, and the growing volume and sophistication of cyberattacks. With these concerns in mind, they definitely want to know if their organization is at risk.
You can also bet that although they don’t know all the technical jargon of cybersecurity, they are savvy enough ask CISOs or CIOs for a status report on the organization’s cyber defenses. This presents a challenge for an IT security expert reporting cybersecurity posture to the board: “How can I effectively communicate our organization’s cybersecurity risk? What metrics can I share with them that will properly answer the ‘Are we at risk?’ question?”
Honestly, I don’t believe boards care as much about metrics as we sometimes think. They would rather have a simple yes or no answer to the questions: "Are we at risk?" and “Are we protected?” The problem with the first question is that the answer is always yes. No matter how much you put in place to protect yourself, there's always a risk. In the digital world, enterprises are always facing threats—no matter the time or place. As for the second question about protection, there is no simple yes-or-no answer. Because even if the answer is “Yes, we’re protected.” It begs a follow-up question: “Are we protected enough?”
Too many organizations think only about preventing attackers from getting in. They tend to focus on firewalls, antivirus, remote access authorizations, etc. However, there is a very real chance that an adversary has already circumvented these defenses and is inside their networks. When attackers have evaded frontline defenses, CISOs need to have a strategy in place, including tools such as sandboxing, deception technology, and analysis to detect, deceive, and quarantine the invaders.
I think CISOs need to educate board members on how to ask better questions regarding cybersecurity risk. The questions that an organization’s leadership team should be asking include: "Where are our risks? Which are the highest priority? How can we reduce risks?"
These types of queries will help CISOs develop a strong cybersecurity strategy. They need to identify what the best cybersecurity posture is for the organization and select activities that will protect the highest risks to the business. The board of directors should be paying attention to this strategy and not just having cybersecurity as a check-off item on their monthly meeting agenda. Cybersecurity must be a board-level priority within the organization.
Regarding a company’s cybersecurity risk, the board of directors needs to understand these three basics:
1) The Threat of Attack is Existential for Most Organizations – For example, a ransomware attack that shuts down production could bring down the company permanently. It is that serious.
2) Cybersecurity Requires Prioritization – Cybersecurity requires investment, just like other areas organizations invest in—human resources, the legal department, facilities, IT, and so forth.
3) Three Types of Investment – The investments that must be made in cybersecurity really come in three forms: people, products, and processes.
a. People – Organizations need people who have the skills to understand and protect the business and its employees. This means investing in skills and cybersecurity training—whether your own staff or people to manage your outsourcers.
b. Products – CISOs need technologies that work together and are easy for the IT staff to manage and analyze. It should include threat intelligence subscriptions.
c. Processes – Investment in processes is not just a combination of people and products but it's also having vigilance. Having processes in place means the organization is constantly observing the threat landscape and becoming more and more aware of what it looks like. This also means stayng on top of new developments, both in terms of threats and types of defenses.
Above are all things that the security team should be dealing with and CISOs need to find ways of abstracting them to the board level. Again, metrics might seem like a natural way of conveying the data, but the problem with metrics is that every organization is different—and there are no real standard security measurements. That said, there are several standards that CISOs can compare their organizations to as well as try to attain. They are: NIST in the U.S., the NIS directive in the European Union, and, in production and operational environments, IEC 62443, which has four security levels.
What the cybersecurity team leader—whether they're on the networking side or cybersecurity side—needs to do rather than provide metrics specific numbers, is provide a dashboard to the board. A dashboard view is something that can give them a comprehensive idea of the state of the organization’s protection.
Another non-metric tool that CISOs may want to consider, that can help justify security investments to top leadership and the board of directors, is the EU’s Return on Security Investment (ROSI) formula. This methodology was developed by ENISA, a European security organization. Essentially, it enables a CISO to come up with a number that looks like an ROI (return on investment) percentage—allowing it to be compared to traditional investments.
With ROI, it shows how much a regular investment is going to return. With ROSI, it indicates how much monetary protection an organization is going to get or how much loss is going to be avoided. ROSI allows the cybersecurity team to go into a board meeting armed with a number, so that they can show it to the board of directors, who then get to decide between investing in, for example, a new machine, for the production line or in protection for the organization’s database.