Cybersecurity is highly technical and can be confusing to those working outside of the “trenches.” The conversations around the subject are often siloed to security and IT teams and don’t impact others unless a breach or serious incident occurs. With the increase and severity of cyberattacks, CISOs and their teams can’t be the only ones up to speed on the current threat landscape. The C-suite and Board need to be just as aware of their cyber risk posture and determine if it’s aligned with their company’s cyber risk tolerance. While the C-suite and Board are becoming more knowledgeable about these risks, CISOs are tasked with communicating the threats to this group, especially as a responsibility - and impact of cyber incidents - across the organization continue to widen.
With the responsibility to communicate cyber risk to the C-suite and Board often comes a related challenge: the soft skills needed to communicate risk to a business audience effectively. When CISOs get their time with the Board and their colleagues in the C-suite, they may have a method they’ve adopted, but (like many areas) there are opportunities to improve upon the messaging to communicate details about their organization’s cybersecurity program and associated risks. In order to create an open and valuable dialogue, the National Association of Corporate Directors (NACD) provides Board members with critical questions to ask the CISO. Some example questions include:
● What is our potential financial exposure to cyber threats?
● What cyber threats are most likely to have a major financial impact on our business?
● How much financial exposure are we willing to accept across our enterprise and digital supplier ecosystem?
● How can we align our budget, implement controls, develop strategy and optimize risk transfer to address our cyber risk exposure?
● Are our digital initiatives being developed in a cyber-resilient way?
If C-suite members and Boards have these questions in their back pockets, it will help them articulate security concerns, within the right context, to the CISO. And for CISOs, being best prepared to articulate these positioning points will ensure they walk into a productive setting with their stakeholders. But, with addressing these points comes the “how” of doing so. So how can CISOs do a better job of offering clarity on the risks and problems security teams are facing? Let’s dive in and explore best practices.
Resist Getting Too Technical
CISOs who get too in the weeds with technical cybersecurity terms that Board members aren’t familiar with are setting themselves up for failure. Board members will get lost in the technical details and won’t be able to follow along with the CISO’s key points. This creates a clear disconnect between the current cyber defense landscape and where the company is in terms of the cyber controls that adequately provide the defense and protection needed. CISOs should only offer only the necessary information at an audience-relevant level - focus on the challenges, needs and best next steps to keep the organization secure in a manner that resonates with the stakeholders.
Keeping in mind that context is key, why decisions were made by the CISO is a common ask of Board members, along with garnering the CISO’s confidence level as a result of his/her decisions.
Provide a Business Context
Supplying a penetration test or vulnerability scan to show the greatest, current threats the organization is facing is a great start. The Board will need to know the level of confidence the CISO has when it comes to the company's resilience from a cyber defense perspective. Boards need to understand what the most impending risk is based on the current analysis of the industry's threats from ransomware and phishing attacks to data breaches.
When the CISO can put the current risks in context with the business, everyone is more likely to understand the situation and be on the same page. This is essential before diving into the company's current security program, budget needs or future plans. Think about the most important business needs now in order to gain the attention and trust of the C-suite and Board for the long haul.
Speak From a Cost-Based Analysis Perspective
A common mistake CISOs make when quantifying risk to their C-suite and Board is using an Ordinal Scale of measurement, which doesn’t allow for an overlay of risk tolerance. An effective and successful method is explaining the risk from a cost-based perspective. Illustrating the percentage of loss potential against the dollar of loss potential in a current vs. target state helps C-suite and Board members understand the context of the risks at hand (e.g., We currently have a 50% chance of losing $10M as a result of our current landscape of controls and we need to deprecate our risk posture to a 10% chance of losing $10M). The C-suite and Board members will always want to know how much money to allocate to enhance the controls and who they need to hire to get the job done, but providing a specific context of loss value as a result of the lack of enhancements is a vital lens to gain a crisp understanding of minimizing risk posture.
Organizations are being forced to do more with less while saving on budget and resources, so CISOs should keep this context in mind when communicating internally. At the end of the day, CISOs are considered to be governors of risk. If the organization decides to allocate a certain dollar amount for risk mitigation, then there is a residual risk that needs to be illustrated to stakeholders by the CISO so everyone is on the same page regarding how much can be done with less and how much risk is left as a result of doing less.
Get in Front of the C-suite and Board Regularly
CISOs should be present in front of their key stakeholders on a quarterly basis to provide a snapshot and actionable view of the organization’s cyber posture. It’s best to avoid too much time in between meetings in order for CISOs to continue gaining the trust they need to build and lead a successful security program in an organization. Frequent updates to the Executive Leadership Team between Board readouts provide needed awareness of the current cyber environment and the organization’s potential risks. It also allows for questions, clarification, resource support and guidance, so that if a quick change is needed, the CISO can adequately respond while ensuring the organization isn’t vulnerable to critical threats.
With all of these tips in mind, it’s paramount for CISOs to regularly test the resiliency of their security controls and the defenses in place to protect against the ever-changing cyber threat landscape. Without regular insights into the changing attack vectors and methods, CISOs' needs and conversations can get lost in translation with the Board and C-suite. Creating specific plans of action relevant to the cyber risk landscape, effective controls in place, areas of planned improvement, budgetary needs, and a clear timeline ensures that the entire organization is aligned and doing its best to remain protected at all times.
About the author: Fawaz Rasheed is the Field CISO for VMware and a veteran C-Suite and Board Cyber Security Advisor.
