By Justin Silbert.
Perhaps the most misunderstood challenge of the modern day CISO continues to be communication with the Board of Directors. The task seems simple, but there is major disconnect between the CISO and the Board. According to the Cyentia Institute’s 2017 Cyber Balance Sheet report, “even basic questions on the value of cybersecurity show little consensus; things cited by Board members as the most critical fell dead last among CISOs”.
With such a fundamental misalignment, the questions remain, where is the breakdown and what is the cause? CISOs know that Boards want to hear about cybersecurity in business terms, not in technical terms. A good CISO should not be talking about firewalls and threat intelligence to the Board. But, even when CISOs attempt to put it in terms of the business, they continue to flounder. According to the Cyentia report, the “value” of security is even disputed. Boards tend to see security primarily for data protection and brand reputation while CISOs see their jobs as a way to provide security guidance and business enablement. In other words, the Board looks primarily at security risk while the CISO’s perspective reflects the day to day reality of his job. For example, the Board and CISO want the organization to be resilient against a denial-of-service attack. The Board is interested in the robustness of controls and residual risk, while the CISO is focused on the policies, procedures, and controls that lead to the end goal.
Another point on which they differ is the effectiveness of the cybersecurity program. CISOs tend to rate their programs high while Boards tend to believe the opposite. CISOs are not effectively promoting the strengths of their program, though they probably believe that they are. One explanation could be that this rift is a consequence of the framing of the message. However, more likely is that the metrics which are so valuable to a CISO on a daily basis are not so meaningful to the Board. The Board is most interested in a few KPI (key performance indicators) which most inform the enterprise risk and legal implications, including civil lawsuits that may result from an incident.
- Compliance informs the board about regulatory ramifications, which can have effects from fines to stopping operations. HIPAA, GDPR, GLBA, SOX, and other regulations can have significant consequences if they are not followed, and the Board wants to steer clear of penalties. Additionally, non-compliance can open up the organization to legal liability.
- Risk posture gives the Board a sense of the likelihood of an incident and the consequences. Boards are also quite keenly interested in how well the risk posture aligns with the risk appetite (the amount of risk the Board has defined as appropriate).
- Incidents (not events) that are or will impact the organization must be communicated. However, this is not the time to educate the board on phishing vs man-in-the-middle attacks. Boards want to know the potential and realized consequences of the incidents along with mitigations to reduce loss.
- Maturity of the security program is a way of evaluating the CISO and his/her leadership of the program. The Board wants to know how well the program is doing and what the roadmap is to get to the next level. While communicating security maturity, peer benchmarks are a great way to normalize the conversation, so that the Board’s expectations are in line with comparable organizations.
To really grab the Board’s attention, you need to relate your cyber security program to the strategic business goals. For example, if there is activity related to mergers and acquisitions, you need to focus on what the impact of an incident may be. A great example of this occurred when Verizon was negotiating to buy Yahoo. Yahoo’s value vastly decreased as data breaches began to surface and the numbers of affected consumers expanded. Alternatively, a business may be pursuing rapid growth with higher risk, so the cyber security brief should be centered around scaling security along with the business.
As CISOs are learning, so are the Board members. They are learning about cyber security, why it is critical to their responsibility, and what it means for the organization. As the threat landscape and cyber security industry moves forward, there are many opportunities on both sides for improving communication.
For additional guidance on proper communication with the Board of Directors, please contact LEO Cyber Security, and continue to come back to our blog for more strategies.