What CISOs need to know about reporting IT risk
As cyber risks become increasingly complex, knowing all the threats, vulnerabilities and responses is only half the battle. CISOs also need to be able to share this information with the board — coherently, concisely and effectively.
It’s a tricky mission, but at Gartner’s 2023 Cybersecurity Conference, Diligent CISO Henry Jiang, Team Lead/Solutions Engineer Ryan Torio and Global Product Marketing Director Erin Lemky shared tips that can help make your cyber reporting more effective.
Here are some highlights from their panel session, “Delivering Board-Ready Clarity in Reporting IT Risk: What Today's Board Needs to Know.”
Mind the shadows and third parties
In a suspenseful thriller, danger often lurks in the shadows, where it’s least expected. The same is true of IT and cyber risk.
Jiang cautioned audience members to extend their watchful eyes beyond the typical IT assets, workflows and boundaries.
Take procurement systems and HR platforms, for example. They’re low-maintenance, single sign-on and running in the cloud. But this “shadow IT” needs effective cyber monitoring and risk management.
Think of an organization onboarding hundreds of consultants. If you discover that some records exist in the organization’s active directory but not in the HR record system, “that’s a huge risk and red flag,” Jiang said. Same with a vendor that hasn’t gone through all of the legal, procurement and security reviews.
“You shouldn't be paying an entity without them being in your sphere of monitoring and your third-party risk management program,” Torio emphasized. And, on a similar note, it should be easy to determine who your terminated users are, in almost real time.
Torio cited the value of continuous monitoring programs and being able to connect across systems of record, critical financial systems and supply chain systems.
Put data in context
“You’ve got to be careful with all the data that's supplied to you,” Jiang emphasized. “What's really the story?”
And what’s the context? Say you discover a vulnerability that’s been left unmitigated for a critical number of days. Is it a people problem — a lack of knowledge? Is it a money problem? Without analysis that leads to a root cause, Jiang concluded, “data’s just sitting there.”
CISOs and risk teams should also take the time they need. “It’s more than just ‘Hey, this chart looks good. I'm going to put it out there,’” Jiang said. “We spend days deciding which chart we should put out there, and what context we’re adding to the story.”
Technology can help. “We can shave off the 100 to 200 hours it takes from an aggregation standpoint for us to even start creating that story,” Torio said. “Data automation and having everything essentially in one place definitely helps.”
Remember the board’s role
There’s a big difference between oversight — having the big picture of risk, monitoring and management — and information overload. When reporting to their boards, it’s important for CISOs to keep in mind that less is more — and that the right details should take center stage.
“A board’s main function is oversight, right? Boards should not tell you what to do and not to do,” Jiang emphasized. From your presentation, boards need to grasp the organization’s risk exposure and profile so they can allocate the right resources to the problem.
As always, data is crucial to helping your board understand what’s going on. When you report to the board once a quarter — or even once a year — you won’t need real-time or even near-real-time data. “That being said, it’s important to have real-time data on tap when needed. A good board member always reads through this material and takes notes,” Jiang said. “They might just pick up a key risk indicator and challenge you during that meeting.”
“Before my CTO goes to the board meeting, I want to make sure he understands every single metric we put on the board deck,” Jiang said.
Above all, tell a story
Productive cybersecurity conversations don’t overlook the forest for the trees. “I think a lot of reporting templates overemphasize data points that are buried in the nitty-gritty. The board typically doesn't have either expertise or time to understand that,” Jiang said. He cautioned that “two pages is probably the maximum” for a board report and that “you need to be really careful in choosing the message.”
When communicating risk to the board, wrap it all up in a story: compliance, risk, vendor management and beyond. And always keep your audience in mind.
“Take the same story you're wanting to convey, seen from your perspective, but word it in their perspective and in terms of what they're trying to achieve," Torio advised.
Ready to take your board meeting preparation to the next level? Download Diligent’s board-ready CISO checklist.