Some painful, but necessary, reading for CISOs: A new survey breaks down just how far off CISOs are in their efforts to communicate to boards of directors.
The Cyentia Institute, a cybersecurity research firm (sponsored by risk management consultants Focal Point) interviewed more than 100 CISOs, corporate directors and other experts. The bottom line:
Our findings show that even basic questions on the value of cybersecurity show little consensus; things cited by Board members as most critical fell dead last among CISOs…Boards crave far more business-relevant reporting than CISOs.
The newly released report, titled Cyber Balance Sheet, was authored by Cyentia’s Wade Baker, with assistance from a group of cybersecurity thought leaders (including RiskLens co-founder Jack Jones). Yes, it’s troubling but also filled with some helpful (and hopeful) tips about finding a balance between the world views of the board room and the server room.
Here are the 5 key communication gaps and recommendations—or “finding the balance,” as the report says—followed by 10 tips that CISOs and board directors agreed would improve communication [ see the infographic].
1. On the value of cybersecurity
Over 90% of board members interviewed listed “data protection” as the primary value of cybersecurity, followed by “brand protection”. Not surprising since security breaches (and resulting brand damage) are board-level responsibilities. Yet CISOs listed those two at the bottom of their lists—they see cybersecurity’s highest values to the organization as “security guidance” and “business enabler”.
Boards should take an active role in clearly establishing what the business needs from the security program…If direction is not forthcoming, CISOs should initiate this discussion as soon as possible.
2. On how to communicate cybersecurity’s value
CISOs didn’t rank any communication technique as particularly effective in getting through to the board on the value of security. They said their best audience is a board that was already aware of cybersecurity. CISOs interviewed were split on whether “presentation skills” are a problem or an opportunity. “It’s difficult to articulate why more money is needed when we haven’t seen major incidents or impacts,” said one interviewee. A more successful communicator said, “I always wondered what the disconnect was and then I realized the challenge was presenting security info in business terms. From that point on, I began looking at security goals in the context of business objectives.”
CISOs must first understand what the Board values…Then they should use that information to orient the security program toward delivering and demonstrating that value.
3. On assessing security posture and priorities
Bad news here for CISOs. About 40% of security officers surveyed said they are confident in their security programs’ effectiveness. About 50% of board members said they are not confident. The report dug into this communications chasm and concluded that the two primary means of assessing security posture–external standards (like NIST, ISO or FFIEC) and risk assessments–gave confidence to security directors, but board directors were not so impressed by adherence to these industry standards.
Knowing and showing the difference between the concepts of adherence and effectiveness are important. The Board’s confidence isn’t based on where the security program stands on a list of to-do’s as much as whether it’s standing strong in the face of material weaknesses to the business and headed in the right direction.
4. On finding meaningful metrics
Another big communication gap when it comes to metrics: about 80% of board members surveyed said they most want to see metrics on risk posture. And in fact, “CISOs report risk metrics to the Board more than anything else.” The problem: “It just seems their go-to metrics are more in line with day-to-day operations like system defects and security events/incidents.” On the bright side, “CISOs are clearly increasing the supply of business-level metrics (especially cyber risk) to meet the demand from the top.”
It’s OK to have different metrics for different audiences and purposes, but understand what’s what. Metrics reported to the board should be tied to business-level outcomes supported by the security program.
5. On measuring and expressing cyber risk
The largest contingent of CISOs interviewed measure risk by categories, followed by a contingent that expressed risk as a numerical score. “Not many measure risk in terms of financial losses expected over a given timeframe,” says the report. On the other hand, “boards are very accustomed to the concept of enterprise risk management (ERM) and discussing the financial, strategic and operational risks to the firm is standard Boardroom fare.” Still, Boards don’t expect CISOs to sound just like CFOs—mainly they say, “Tell me a story and then back it up with a few numbers”.
Ultimately, how risk should be expressed is a product of both Board preference and organizational maturity. If your organization isn’t ready for quantification, begin by using proper terminology and logic in your qualitative descriptions of risk. Experience shows that Boards fed mostly words about risk will eventually begin asking questions that require numbers, and likely dollars, to adequately answer. When it comes to that, there are some good resources out there to help CISOs and their staff meet that need. (In particular, the report cites Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund and How to Measure Anything in Cybersecurity Risk by Douglas Hubbard.)
The Cyber Balance Sheet ends on a hopeful note with a Top 10 list on how CISOs can improve communications (regarding cybersecurity) to the Board.
The Cyber Balance Sheet Top 10 Tips for CISOs to Improve Communication to the Board about Cybersecurity
1. Relate to the business. Use terms the board will understand.
2. Build security awareness. Explain “who would target us” but avoid hype.
3. Be credible and candid. Share good news and bad; be clear what you don’t know.
4. Provide pointed evidence. Talk in dollars if possible.
5. Know the audience. Understand the expectations of the board.
6. Keep it simple and interesting. Tell a story that’s easy to follow.
7. Show your plan and progress.
8. Interact regularly and directly, including outside the boardroom.
9. Listen, learn and adapt your presentation approach to the needs of the Board.
10. Don’t recreate the wheel. Use a recognized reporting framework that’s been validated by your peers.
The RiskLens application enables CISOs to express cyber risk in financial terms that board members can understand. Contact us to learn more.