In a recent survey by Gartner, 88% of Boards of Directors said they view cybersecurity as a business risk as opposed to a technology risk.
Yet most CISOs still approach reporting to the board and senior executives in technical terms – NIST CSF “maturity levels” or vulnerability patch response times – instead of the financial language of business risk, such as return on investment (ROI) of security spending for risk reduction.
How can CISOs and other executives responsible for cybersecurity change their communication style and talk to the business leaders in the most impactful way?
In an article for the National Association of Corporate Directors (NACD), Getting the Right Cybersecurity Metrics and Reports for Your Board, ERM expert and board director James Lam and RiskLens' Chief Risk Scientist Jack Jones gave these three goals for successful reporting:
Transparent about performance, with financially focused results based on easily understood methods.
Benchmarked, so directors can see metrics in context to their industry.
Decision-oriented, so the board can provide oversight of management’s decisions, including resource allocation and cyber insurance.
The key to all three: Quantitative measurement of cyber risk based on a standard model for risk analysis like FAIR™ (the model behind the RiskLens platform) and relevant data from respected sources (like Advisen, Verizon, SecurityScorecard, sources for the data curated by RiskLens).
Let’s take a deeper look at achieving these three goals of effective boardroom/C-Suite communication:
Transparent Reporting on Cyber Risk
As Lam and Jones write, the central question for business leadership on cybersecurity is “What is the company’s potential loss?” RiskLens answers that question directly with a dollar figure for probable loss for an event in a risk category (ransomware, insider error, etc.) at your company. Standing behind that figure is extensive research by the RiskLens data science team on the probability of cyber events occurring and the value of assets at risk, specific to industries, geography, business size and other parameters – and customizable to your company. The FAIR™ methodology we use is entirely transparent – it’s an open standard that complements all major cybersecurity frameworks incl. NIST CSF, ISO2700x, COSO, CIS.
Benchmarked against Industry Peers
Another common question from the top: How is our cybersecurity program performing vs. our peers? CISOs have struggled to answer, citing unreliable industry surveys on security spending that just cover spending, not risk, or using technical security ratings. RiskLens reporting, based on empirical data and data science, can directly answer that question in dollar terms, with a My Cyber Risk Benchmark report that compares your risk posture to the industry average.
Analysis Results that Support Security Investment Decisions
The top-line number for loss exposure from a data breach or other cyber event is highly informative for organizations as a baseline for planning security investment but the RiskLens reporting also shows the probability of occurrence in a year of a type of cyber event, so leadership gets a fuller context of what’s at stake in their decisions.
My Cyber Risk Benchmark reporting shows the various ways in which losses materialize (incident management, lost revenue, fines and judgments) and SecurityScorecard grades included in the reporting rate the organization’s performance on 10 factors that may need improvement (application security, social engineering, patching cadence, etc.).
Sign Up for Upcoming Webinar Training, "CRQ for All Series: My Cyber Risk Benchmark Tool", to see it in action!
As Jack Jones and James Lam write, “We recognize that cybersecurity is a relatively young discipline, compared to others under the umbrella of enterprise risk management (ERM). But it’s not a special snowflake…We believe the number should be zero when it comes to the percentage of directors dissatisfied with the cybersecurity information provided by management.”