Cyber Risk Communication to the Board: Getting Better All the Time

May 1, 2019  Jeff B. Copeland

In a recent survey of board members by PwC,  82% said that cyber threats had moved from an IT issue to one that would drive overall strategic change for their companies. It’s an evolutionary change in board attitudes driven by increased regulation (from the European Union, the SEC, the New York Department of Finance, the State of California, and more to come) and increased impacts on the bottom line (as a big for instance, the NotPetya malware attacks that knocked major international companies offline, starting in 2017). To meet their responsibilities, boards are demanding to know (really know) their organization’s cyber risk.

Has your IT or cybersecurity organization evolved to keep up, in terms of reporting to the board about cybersecurity risk on a corporate strategic level? Here’s a test: Are you still hearing these statements from your CISO?

  • “Cybersecurity is different from all other kinds of risks to the enterprise.”
  • “It’s technical so you wouldn’t understand.”
  • “We have successfully patched our vulnerabilities (that we know of) and I’m happy to report that we have not suffered a data breach (that we know of).”
  • “Cyber risks can’t be quantified in dollars and cents. But I can rate them from 1-5 based on my professional opinion of their severity level.”

If that sounds familiar, your CISO or CIO has a way to go up the evolutionary scale. And that’s not necessarily a criticism: Information security is a field itself in flux, and infosec practitioners are often following widely accepted professional practices, inadequate though they may be. Here’s a short Guide to CISO Communication Styles to the Board and how they are evolving.

Fear, Uncertainty and Doubt (FUD)

Often illustrated by horror stories of recent cyber attacks and followed up with a pitch for more budget—or it could happen to us!  No word on how requested budget would address our specific risks.  But it could happen to us!

Table Stakes

Here’s a survey showing that average spending on cybersecurity has increased over the past year.  We should do the same.  Peer pressure, a more polite form of FUD.

The Compliance Checklist

The SANS Institute’s CIS “Critical Security Controls for Effective Cyber Defense”, for example, is an excellent checklist of basic steps that organizations can complete to form the foundation of a cybersecurity program. By completing these steps, an organization can assume it has reduced risk. But only assume.

Maturity Models

A step up from the compliance checklist, maturity models such as the National Institute of Standards and Technology Cybersecurity Frame (NIST CSF), are detailed lists of best practices that can be tailored to an organization’s specific, perceived risks and cover an entire infosecurity program, not just controls. As organizations work their way through these best practices, they can measure their improving maturity (and justify spending to go to the next level). But nothing in the NIST CSF says how to measure cyber risk. Again, increasing maturity is assumed to equal decreasing risk—but only assumed.

The State of the Art: Cyber Risk Economics

Now, we are talking true cybersecurity maturity. Organizations that have evolved to this level have implemented these breakthroughs:

  • Are using a standard model for cyber risk quantification with a consistent way to define and analyze risks in financial terms—meaning no more 1-5 ratings based on subjective opinions.
  • Treat cyber risk on a par with the rest of enterprise risk, no excuses.
  • Keep technical discussions out of the boardroom – no counts of vulnerabilities patched, stay focused on return on investment, quantified in monetary terms, for risk reduction for any cybersecurity spending.

Here’s a reliable measure of maturity for boards demanding better visibility into cyber risk from management: Implementing t he FAIR model, the only international standard model for cyber risk quantification, and the RiskLens platform, the only application purpose built on FAIR to power cyber risk economics.  An estimated 30% of the Fortune 100 now run the FAIR model in their risk management shops; that’s cyber risk communication, evolved.

Related:

Elevate the Board's Understanding of Cyber Risk. Send Them to School

View from the Boardroom: “Cybersecurity Is in Crisis”