Phil is the CEO and co-founder of the Cyber Leadership Institute and an experienced cybersecurity advisor, author, and public speaker. He is the Amazon bestselling author of The Five Anchors of Cyber Resilience, a practical cyber strategy book for senior business leaders. He is also the 2017 ISACA International’s Michael Cangemi Best Book/Article awardee for his major contributions in the IS audit, control, and security field.
Despite the board's growing enthusiasm about the significance of cyber risks, most of them still find cybersecurity highly cryptic and existing frameworks tedious. Excessive use of cybersecurity jargon—some unfathomable even to technology professionals—is the main culprit. Senior business leaders get marred by confusing reports that leave them frustrated and unclear about the critical threats targeting their businesses and the required investment to strengthen their defenses. How can CISOs cut the noise and trouble to enlist their executives or corporate directors’ buy-in to the cyber transformation?
The major pain point
Most business leaders still perceive cybersecurity as too complex, and that is not surprising. Based on my experience on cyber defense frontlines and training cyber leaders from dozens of countries, cybersecurity professionals often provide senior business executives highly ambiguous cybersecurity reports, accompanied by low-level, detailed metrics. No wonder that 91% of the directors polled by NASDAQ and security firm Tanium in 2016 admitted that they do not understand cybersecurity.
Cyber-resilient enterprises acknowledge that board oversight and C-suite leadership are essential to driving any transformational change. By role modeling expected behaviors and upholding the virtues of their cyber risk appetite, senior leaders can set a powerful tone at the top that can cascade down the enterprise's ranks. Given that the stakes are high (consider the succession of high-profile cyber risk events, including recent hacker incursions at Equifax, Uber, Facebook, and Google), the senior executives and corporate directors’ engagement into cyber resilience is non-negotiable.
But despite the rise in appetite, most senior business leaders are still delegating cyber resilience matters to middle management or are simply shying away, overwhelmed by technical jargon and a barrage of meaningless technology-centered metrics. Compounding this is the fact that most cyber leaders have their roots in technology, not the business. Predictably, they find linking cybersecurity reports to the business value chain a major pain point instead of a convenient way to secure buy-ins from their executives or directors.
Staying clear of cyber blind spots
The above issues are not a counsel of despair. When done right, cyber risk reporting is a powerful way to bridge the chasm between the board and the cybersecurity function and drive the most senior business officers' deep and lasting engagement.
1. Close the expectations gap.
CISOs should raise their game and move away from numbing vocabulary and learn to speak in business terms. Boards of directors have extremely limited time at their disposal and are not comfortable discussing ISO 27001 reports or NIST standards. Rather, they are concerned about how cyber risks will impact the new product's success, business growth, capital cost, innovation, customer trust, profitability, and other crucial business priorities.
For too long, cybersecurity professionals have advocated for greater business visibility and influence. But they also need to articulate cyber risks in ways non-IT business leaders will find relatable and understandable.
CISOs can do this by linking cyber risks to corporate objectives through an in-depth understanding of business operations, value chain, strategic priorities, risk appetite, and regulatory environment. They need to become provocative storytellers to persuade the board and executive management to act. Risk maps and detailed metrics are not enough—sustained governance requires CISOs to simplify cyber risk in business terms, enlisting executive and director buy-ins.
2. Establish a cyber risk governance committee.
Underpinning any cyber-resilient environment is a strong governance framework. To this end, one of the CISO’s primary areas of focus is to formulate a dedicated cyber risk committee comprised of senior business, technology, and risk executives tasked with ensuring that the business maintains strong defenses against current and emerging cybersecurity threats. A cross-functional cyber risk committee helps diffuse common tensions between security and business teams, reinforces executive and director buy-in for important cybersecurity initiatives, and articulates cybersecurity issues in business terms. Most importantly, it aligns the cybersecurity strategy with enterprise goals. The cyber threat and technology landscapes are changing at breathtaking speeds. Accordingly, the cyber risk committee should provide detailed cybersecurity updates to the board regularly.
The CISO should chair the cyber risk committee. Acceptance of this responsibility naturally elevates the CISO's role within the business. Senior business officers, such as the CEO, CIO, General Counsel, PRO, CCO, CEO, and the CFO, should all be part of the cyber risk committee. One advantage of a cross-functional committee is that the CISO can use it as a powerful educational forum to conduct tabletop exercises or cyber wargaming or invite external threat intelligence specialists to debrief the board.
3. Establish cyber risk governance forums.
To maximize the cyber risk committee's value, enterprises should also establish operational cyber risk governance forums for consistent cybersecurity controls and reporting key matters to the cyber risk committee. During the cybersecurity governance forums (ideally monthly), progress can be tracked against key strategic initiatives, operational scorecards, material incidents, and assurance programs. On the other hand, during third-party governance forums, SLAs, operational scorecards, and assurance processes over high-risk service providers and partners can be checked. During the main cross-functional cyber risk governance forums, the committee can also track BU-level security initiatives' progress against key achievements and aggregated risks.
Operational governance forums ensure that senior executives are not mired with day-to-day technology operations, which frees up time for them to run the business and focus on the strategic aspects of cyber risks.
4. Encourage deeper board-level cybersecurity conversations.
Given that stakes are high, it is no longer enough for the board to simply "note" cybersecurity reports quarterly. Effective cyber risk management requires the board to challenge their risk measures' adequacy against business appetite and strategy.
To have a good grasp of the enterprise cyber risk posture, with the CISO’s help, the board needs to know the following:
- What are the high-risk information assets, and do they have appropriate cybersecurity defenses (for example, if they are running on vendor-supported infrastructure updated with the latest security patches)?
- How do the enterprise’s cybersecurity capabilities, resourcing, and spending compare with industry peers?
- What are its current cybersecurity strategic initiatives, and how do they support the overall mission? Are they aligned with enterprise goals to account for current and future needs?
- How effective are the company’s cyber breach response capabilities, and have they been tested?
- How effective are the cybersecurity assurance procedures of key business partners (especially those charged with handling sensitive information or connecting to the corporate network)?
- How does the residual enterprise-level cyber risk rating compare with the board-approved risk appetite, and what activities are in place to reduce the business risk exposure?
- What were the top data breaches and other cyber-attacks in the industry, and how has the business applied lessons learned from those incidents?
The board should also consider inviting management consultants who work with multiple customers to join the board, to "bring the outside in." These external advisors can offer insights into how similar enterprises tackle rising cyber threats and anticipated regulation changes, or they can inform the board if they are over or underspending cybersecurity. However, external advisors should complement, rather than replace, internal governance and reporting structures. The key to navigating this is for external advisors to present insights to the board in the CISO's presence. This approach creates open relationships of trust, where the board and management can have mutual agendas.
5. Clearly articulate your cyber risk appetite.
Enterprises thrive by taking measured business risks but stumble if those risks are not clearly understood and effectively managed. An articulated cyber risk appetite statement —a formal articulation of the organization's willingness to accept cyber risk—is vital so an enterprise can make critical decisions faster without exposing the organization to risks beyond its capital capacity. The cyber risk governance committee should formulate the cyber risk appetite, and the board should ratify it annually, at the minimum.
Unfortunately, most cyber risk appetite statements are vague and do not provide any meaningful operational team guidance. For instance, a cyber risk appetite that states that the enterprise has a low-risk appetite for losing its business and customer data stimulates boredom. When formulating the enterprise's cyber risk appetite, business leaders should be guided by the organization’s capacity to absorb the accepted risks should they materialize. An effective cyber risk appetite is also tightly linked to an organization's high-value digital assets and considers external obligations to customers, investors, shareholders, and regulators.
The cyber risk appetite should be understandable, actionable, measurable, and supported by clear roles and responsibilities. The board of directors has the ultimate responsibility to ratify the cyber risk appetite, ensuring it supports the enterprise's objective and does not constrain innovation.
6. Establish business-aligned and understandable cyber risk metrics.
Business-aligned and understandable cyber risk metrics are essential in informing the board of directors of its vulnerabilities and strengths. They establish a consistent mechanism to gauge the management's commitment to cyber resilience, reinforce discipline and accountability, and, most importantly, secure executive and director buy-in.
For cyber risk metrics to be valuable to the board and executive management, they should:
- Be unambiguous and be relatable to senior business officers and the board of directors.
- Be centered on the enterprise’s high-value digital assets, critical suppliers, and business strategy.
- Span across people, process, and technology domains to provide a complete picture of the cyber risk profile.
- Refrain from reporting on vain measures, which aim is to arouse emotions without driving real change. For example, telling the board that the cybersecurity team stopped seven million spams may not provide any value, but advising the board that the organization is running on an outdated e-mail threat prevention technology may prompt them to modernize capabilities.
- Inform the board, via brief and clear commentary, of current management initiatives to address measures outside of tolerance, including specific target dates. Metrics identified as red should be accompanied by a brief commentary articulating the plausible business impacts, the likelihood of the risk materializing, and existing compensating controls if any.
- Be continuously revised to remain insightful to the board and relevant to the business environment.
These insights were taken from the principles espoused in The Five Anchors of Cyber Resilience.
Download the whole CISO Playbook: Cyber Resilience Governance for free. Sign up as a premium member to get the complete toolkit with access to our expert mentors and global community of cyber leaders who co-create solutions and business-ready templates.