When it comes to cybersecurity, identifying risk is only half the battle. A CISO’s next step is to share these risks with leadership to strengthen the organization’s security posture, minimize losses and maximize the ROI of technology investments.
Successfully taking this step requires the board’s ear — and respect.
If you’re worried or frustrated (or both!) about this, you’re not alone. It’s a top-of-mind issue for security leaders across industries. CISOs we have talked to named board reporting among their top concerns. Mastering board engagement is vital for your organization and critical to your department’s future: effective board engagement can lead to an increase in your cybersecurity budget and an extension of your team’s capacity.
It’s not enough to merely be an advisor to the board — when you win leadership’s trust, you can thrive as a strategic partner.
If you’re worried or frustrated (or both!) about this, you’re not alone. It’s a top-of-mind issue for security leaders across industries. In fact, CISOs we talked to at this year’s RSA Conference named board reporting among their top concerns.
Mastering board engagement is not only vital for your organization. It’s also critical to your own department’s future: effective board engagement can lead to an increase in your cybersecurity budget and an extension of your team’s capacity.
It’s not enough to merely be an advisor to the board — when you win leadership’s trust, you can thrive as a strategic partner.
This blog series is here to help
The board can only focus on the most significant issues among the hundreds of cybersecurity threats and risks in your world because they need more time and attention.
A CISO needs to think comprehensively about the organization’s most significant risks, then ruthlessly triage:
- Which assets and capabilities are most valuable to the business?
- Which threats are most likely?
- What’s the operational and financial impact of such an event?
- What about reputational damage?
Answers will vary by industry. If your company collects personal data, a breach could incur millions in fines and diminish customer trust. If your company is an online business like Amazon, every minute your website is down, it could mean millions in lost sales and customer loyalty. Global manufacturers are particularly vulnerable to risk across their supply chains, and technology, entertainment, and pharmaceutical companies are particularly vulnerable to intellectual property theft.
Most importantly, which risks could be considered material? What’s the trade-off (or opportunity cost) of not investing cyber resources in a particular area?
Neither threats nor potential technology investments are created equal. Some aspects of the enterprise might be okay with the bare minimum of attention — maybe because of minimal operational impact or vulnerability. Meanwhile, others might be mission-critical and deserve executive attention and investment.
These are crucial distinctions, and CISOs today can’t afford to get them wrong. They must understand the cyber landscape and their business to focus the board’s attention — and their organization’s budget — on the right things. Have the right frameworks — and a plan — in place.
Your board will next want to know how you manage and mitigate these top-priority risks. Here, too, it’s vital to be prepared with solid security controls and initiatives.
The good news is that much of this groundwork has already been done for you.
If you’re looking for a framework for your efforts, the NIST Cybersecurity Framework by the National Institute of Standards and Technology is one to consider. It’s commonly used across industries for good reason. It covers a broad range of risks — cyber, physical and personnel — and focuses on business outcomes. It employs a before/during/after approach that resonates with many executive leaders.
Your strategy should detail how your board performs cyber oversight, including:
- An overview of your company’s IT and cyber roles, responsibilities and reporting
- Specific areas you review, like software, cloud solutions, physical security and network security
- Frameworks you use, like NIST
- Training, certification and credentialing programs
- Protocols for breach response and business continuity. How would you respond to data theft or ransomware-based extortion? Practices for remediation. For example, was an incident caused by a vulnerability or deliberate sabotage? Was the motive extortion or data theft?
- Use of third parties and partners in areas like penetration testing or outside expertise
- Thorough documentation of any technology operation or security control that your department adds to its inventory
Controls are an important — and often underappreciated — aspect of risk management. They give an organization confidence that technology operations and security solutions are working as they should.
Continuous control monitoring is particularly effective. It can play a valuable role in risk analysis, from determining an event’s probability and potential frequency to estimating the cost of mitigation.
Measure the right things
Finally, the board will want to know how effective your measures and mitigations are.
To answer this, look at risk in terms of metrics. As the old adage says: “That which isn’t measured can’t be managed.”
Your board will want to see numbers — and for good reason. These numbers tell a story. What’s your organization’s history of risk and loss? What’s your risk exposure today, and what’s the forward-looking horizon regarding trends, vulnerabilities, mitigation and management?
In a sea of data, don’t risk data overload. Narrow in on just the metrics aligned with organizational goals. From here:
- Set a baseline for charting progress with your policies, industry benchmarks or competitors’ actions.
- Get organized and group your metrics by department or function, like governance or security operations.
- Get specific and look at incident closures and counts.
- Connect it all to the bottom line by correlating metrics to potential costs — and potential opportunities.
And remember: Just because something can be tracked doesn’t mean it should be. If a metric doesn’t directly correlate to behavior, business decisions or the bottom line, it may not be worth your time.
You’ve developed your comprehensive cyber strategy. Now you’re ready for step 2 — presenting it to the board. Read our next blog in the series for more tips and best practices.