By: Dr. Edward Amoroso
October 5, 2020
Communicating cybersecurity performance to corporate executives
By: Dr. Edward Amoroso
October 5, 2020
Given the rising tide of data breaches, the value of cybersecurity must be absolutely clear to everyone in the board room. But communicating this value, as well as the risks the company faces, is often challenging.
Most business leaders would agree that cybersecurity is a top priority, but then they also have many other top priorities, such as dealing with financial pressures and overseeing their digital transformation initiatives.
A CISO’s role is to support this broader range of concerns, albeit from a cybersecurity standpoint. To do that, they must support innovation and decision-making across all business departments. This is also why cybersecurity communication is not all about communicating the bad things which can happen, but also quantifying and explaining how well the business is performing in risk mitigation.
There are many strategies for communicating the value of cybersecurity to leadership. One of the most effective is using metrics to validate risks and connect them back to the business in financial terms that executives can instantly relate to. Combining this with the power of story-telling and real-world examples can drive sentiment leading to smarter decision-making, which adds value to the entire organization.
5 questions CISOs always need to be able to answer
CISOs used to present boards with a raft of technical and operational metrics, which executives would have difficulty relating to. Today’s CISOs need to look at cybersecurity from the perspective of an executive too – as a business imperative and something that must align with business priorities and appetite for risk. After all, security is no longer just a problem for IT – it must be integral in everything a business does.
CISOs can expect some challenging questions from executives, and they often do not pertain to specific risks or events within the company. These questions can be very broad in scope and difficult to answer, even when there are metrics to back up those answers.
Here are the five main things that executives, boards, and practitioners want to know:
1. How secure are we against meaningful cyberattacks?
While no executive is likely to ask this question verbatim, this is ultimately the main thing they want to know. Chances are, an executive would phrase it along the lines of ‘Are we secure?’. This is one of the most challenging yet common questions CISOs get asked, and a simple ‘yes’ or ‘no’ answer is not going to suffice. Moreover, answering the question definitively can impact the credibility of the company’s entire cybersecurity program.
Firstly, CISOs must explain, in clear terms, what constitutes a meaningful cyberattack. As far as board members are concerned, it is likely anything that can have a measurable impact on revenue, brand reputation, or legal compliance. CISOs must give qualitative and quantitative answers that are specific to the organization’s current cybersecurity posture and the threats facing it.
2. How does our security this year compare to last year?
Cybersecurity is as much about people and process as it is about technology. CISOs need to drive an organization-wide culture of cybersecurity where everyone is aware of the threats and understands the value in the controls and policies put in place to protect against them. Many executives appreciate the fact that cybersecurity is a journey, rather than a destination, and they want to see continual improvement characterized by a high return on investment.
Business leaders often want to draw comparisons, because the threat landscape is constantly changing and evolving, and new technologies present new risks and opportunities alike. It is a lot easier to answer this question by referring to a numeric scale, and many companies do that by assigning a score to their cybersecurity maturity. However, scores alone do not paint the whole picture, especially given the unpredictable and dynamic nature of cybersecurity. CISOs also need to be able to say whether the threats have worsened and whether security controls have improved.
3. Are we spending the correct amount on security operations?
Executives will often ask CISOs if they have the resources they need to do their jobs and, usually, that means financial resources. They want to ensure their funds are being spent wisely, and they also want to know how much they should be investing in cybersecurity. There are no universal rules defining the correct amount to spend on security operations, but many companies allocate a percentage of their wider IT budget. In the <a href="rel=nofollow" "https://www.cio.com/article/3335497/winter-2019-state-of-the-cio.html">2019 State of the CIO report, the mean response was 15%.
The best way for CISOs to answer this question is to showcase the return on cybersecurity investment, such as by demonstrating how a particular system successfully foiled an attack, and how much that attack could have cost the business had it been successful. On the other hand, CISOs may feel their departments are underfunded, in which case will have to demonstrate the risks of continuing as they are. Important metrics to cite here include the number of service outages, security incidents, and the mean time to repair (MTTR).
4. How does our security compare to our peer groups?
When executives ask this question, chances are they are trying to determine whether they are spending too much or not enough on cybersecurity by comparing themselves to their peers. It is important for CISOs to drive the conversation away from being a cost center alone to the ways cybersecurity can add value by reducing risk and establishing a competitive advantage. This question must be answered in the context of the industry and customer and stakeholder expectations.
The easiest and most consistent way to answer this question is by using a recognized industry standard framework for benchmarking. For example, a business in the banking sector comes with very high security and compliance demands, whereas a company that does not collect any sensitive information may get by just fine with the bare minimum cybersecurity controls.
5. Are there ways we transfer our security risk?
Cybersecurity burdens can place enormous strain on organizations, especially smaller ones which cannot afford to maintain a fully-staffed infosec department. In many cases, the costs make having an in-house security operations center (SOC) wholly undesirable. Thus boards are often interested in reducing their expenses by offloading some of their cybersecurity risk onto a third party.
CISOs should always look for ways to increase cost efficiency if only to make it easier to scale their cybersecurity systems and empower innovation without adding unnecessary risk. Some depend on share responsibility models, in which matters of security and compliance are the shared responsibilities of the client and a third-party service provider. Others outsource certain operations to managed security services providers (MSSPs). Finally, there is also the option of cyber insurance, but that rarely covers things like brand damage and loss of value due to an incident.
Measurement refers to the act of collecting data, while metrics is the process of interpreting it. CISOs need to interpret the data in a way that aligns with business priorities and makes sense to executives. That way, they can use data to influence the sentiment which, in turn, leads to better decisions around cybersecurity.
Cybrary helps security leaders close skills gaps and empower their teams to better tackle the challenges of today, and tomorrow. Request your demo of Cybrary for Teams today.