Need to get the board’s attention on cyber issues? Here’s your first step
When it comes to cybersecurity, identifying risk is only half the battle. A CISO’s next step is to share these risks with leadership to strengthen the organization’s security posture, minimize losses and maximize the ROI of technology investments.
Successfully taking this step requires the ear — and respect — of the board or executive leadership.
If you’re worried or frustrated (or both!) about this, you’re not alone. It’s a top-of-mind issue for security leaders across industries. In fact, CISOs we talked to at this year’s RSA Conference named board reporting among their top concerns.
Mastering board engagement is not only vital for your organization. It’s also critical to your own department’s future: effective board engagement can lead to an increase in your cybersecurity budget and an extension of your team’s capacity.
It’s not enough to merely be an advisor to the board — when you win leadership's trust, you can thrive as a strategic partner.
This blog series is here to help
What frameworks and metrics should you use? Do you have the right technology to support them? How are you making it all unified and easy to understand?
Let’s get started with step one: a cybersecurity strategy that aligns with your organization's objectives. It’s a three-pronged mission — monitoring, mapping and measuring — and it will be the foundation of ongoing board engagement.
Flag your top risks
Among the hundreds of cybersecurity threats and risks in your world, the board can only focus on the biggest issues, because they have limited time and attention.
It’s vital for a CISO to think comprehensively about the organization’s biggest risks, then ruthlessly triage:
- Which assets and capabilities are most valuable to the organization?
- Which threats are most likely?
- What’s the operational and financial impact of such an event?
- What about reputational damage?
Answers will vary by industry. If your organization collects personal data, a breach could incur millions in fines and diminish customer trust. If your company is an online business like Amazon, every minute your website is down could mean millions in lost sales and customer loyalty. Global manufacturers are particularly vulnerable to risk across their supply chains, and companies in tech, entertainment and pharma are particularly vulnerable to theft of intellectual property.
Most importantly, which risks could be considered material? What’s the trade-off (or opportunity cost) of not investing cyber resources in a certain area?
Neither threats nor potential technology investments are created equal. Some aspects of the enterprise might be okay with just the bare minimum of attention — maybe because there is minimal operational impact or vulnerability. Meanwhile, others might be mission-critical and deserve executive attention and investment.
These are crucial distinctions, and CISOs today can’t afford to get them wrong. To focus the board’s attention — and their organization’s budget — on the right things, they need to understand both the cyber landscape and their organization’s business.
Have the right frameworks — and a plan — in place
The next thing your board will want to know is how you’re managing and mitigating these top-priority risks. Here, too, it’s vital to be prepared with solid security controls and initiatives.
The good news is that a lot of this groundwork has already been done for you. Particularly if you’re in sectors like healthcare, financial services or government, compliance obligations mean you’re already adhering to HIPAA, FedRAMP, SOC2 or Sarbanes-Oxley regulations.
If you’re looking for a framework for your efforts, the NIST Cybersecurity Framework by the National Institute of Standards and Technology is one to consider. It’s commonly used across industries for good reason. Not only does it cover a broad range of risks — cyber, physical and personnel — it also focuses on business outcomes and employs a before/during/after approach that resonates with many executive leaders.
Your strategy should detail how your board performs cyber oversight, including:
- An overview of your company’s IT and cyber roles, responsibilities and reporting
- Specific areas you review, like software, cloud solutions, physical security and network security
- Frameworks you use, like NIST
- Training, certification and credentialing programs
- Protocols for breach response and business continuity. How would you respond to data theft or ransomware-based extortion? Practices for remediation. For example, was an incident caused by a vulnerability or deliberate sabotage? Was the motive extortion or data theft?
- Use of third parties and partners in areas like penetration testing or outside expertise
- Thorough documentation of any technology operation or security control that your department adds to its inventory
Controls are an important — and often underappreciated — aspect of risk management. They give an organization confidence that technology operations and security solutions are working as they should.
Continuous controls monitoring is particularly effective and can play a valuable role in many aspects of risk analysis, from determining the probability and potential frequency of an event to estimating the cost of mitigation.
Measure the right things
Finally, the board or executive leadership team will want to know how effective your measures and mitigations are.
To answer this, look at risk in terms of metrics. As the old adage says: "That which isn’t measured can’t be managed."
Your board will want to see numbers — and for good reason. These numbers tell a story. What’s your organization’s history of risk and loss? What’s your risk exposure today, and what’s the forward-looking horizon in terms of trends, vulnerabilities, mitigation and management?
In a sea of data, don’t risk data overload. Narrow in on just the metrics aligned with organizational goals. From here:
- Set a baseline for charting progress. Start with your policies, industry benchmarks or what your competitors are doing.
- Get organized. Group your metrics by department or function, like governance or security operations.
- Get specific. For instance, look at incident closures and counts.
- Connect it all to the bottom line. Correlate metrics to potential costs — and potential opportunities.
And remember: Just because something can be tracked doesn’t mean it should be. If a metric doesn’t directly correlate to behavior, business decisions or the bottom line, it may not be worth your time.
You’ve developed your comprehensive cyber strategy. Now you’re ready for step 2 — presenting it to the board. Read our next blog in the series for more tips and best practices.