In a recent survey of board members by PwC, 82% said that cyber threats had moved from an IT issue to one that would drive overall strategic change for their companies. It’s an evolutionary change in board attitudes driven by increased regulation (from the European Union, the SEC, the New York Department of Finance, the State of California, and more to come) and increased impacts on the bottom line (as a big for instance, the NotPetya malware attacks that knocked major international companies offline, starting in 2017). To meet their responsibilities, boards are demanding to know (really know) their organization’s cyber risk.
Has your IT or cybersecurity organization evolved to keep up, in terms of reporting to the board about cybersecurity risk on a corporate strategic level? Here’s a test: Are you still hearing these statements from your CISO?
If that sounds familiar, your CISO or CIO has a way to go up the evolutionary scale. And that’s not necessarily a criticism: Information security is a field itself in flux, and infosec practitioners are often following widely accepted professional practices, inadequate though they may be. Here’s a short Guide to CISO Communication Styles to the Board and how they are evolving.
Often illustrated by horror stories of recent cyber attacks and followed up with a pitch for more budget—or it could happen to us! No word on how requested budget would address our specific risks. But it could happen to us!
Here’s a survey showing that average spending on cybersecurity has increased over the past year. We should do the same. Peer pressure, a more polite form of FUD.
The SANS Institute’s CIS “Critical Security Controls for Effective Cyber Defense”, for example, is an excellent checklist of basic steps that organizations can complete to form the foundation of a cybersecurity program. By completing these steps, an organization can assume it has reduced risk. But only assume.
A step up from the compliance checklist, maturity models such as the National Institute of Standards and Technology Cybersecurity Frame (NIST CSF), are detailed lists of best practices that can be tailored to an organization’s specific, perceived risks and cover an entire infosecurity program, not just controls. As organizations work their way through these best practices, they can measure their improving maturity (and justify spending to go to the next level). But nothing in the NIST CSF says how to measure cyber risk. Again, increasing maturity is assumed to equal decreasing risk—but only assumed.
Now, we are talking true cybersecurity maturity. Organizations that have evolved to this level have implemented these breakthroughs:
Here’s a reliable measure of maturity for boards demanding better visibility into cyber risk from management: Implementing the FAIR model, the only international standard model for cyber risk quantification, and the RiskLens platform, the only application purpose built on FAIR to power cyber risk economics. An estimated 30% of the Fortune 100 now run the FAIR model in their risk management shops; that’s cyber risk communication, evolved.