[BreachExchange] 3 Steps CISOs Can Take to Convey Strategy for Budget Presentations

[Destry Winant]

https://www.darkreading.com/operations/3-steps-cisos-can-take-to-convey-strategy-for-budget-presentations-/a/d-id/1339337?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Answering these questions will help CISOs define a plan and take the
organization in a positive direction.

As 2020 nears its end, CISOs and infosec teams are expected to prepare
board and C-suite briefings on the state of their organization's
cybersecurity posture, including a comprehensive 2021 cybersecurity
budget. This is no small feat, as one of the major issues plaguing
CISOs today is that there is little visibility into an enterprise's
attack surface. According to a Ponemon Institute survey, 88% of
breaches are due to poor cyber hygiene that skews the outlook of a
company's security posture. Ultimately, this means that security pros
remain faced with the challenge of maintaining comprehensive
visibility over their complex attack surface while also combating the
evolving threat landscape.

What's more, recent statistics confirm that 16 billion records were
exposed in the first half of 2020. As such, CISOs and security teams
are overwhelmed by the challenge of maintaining and optimizing
security posture, which can be an impediment to developing a strategic
cybersecurity outlook for the board and C-suite. Given this lack of
clarity into the attack surface and security posture, how can CISOs
present a unified and strategic vision for 2021?

Step One: Gain an Understanding of the Organization's Cybersecurity Posture
With billions of security signals across an enterprise attack surface,
CISOs must start with obtaining continuous, comprehensive visibility
of the risks to their organization by utilizing artificial
intelligence (AI) and deep-learning tools to make sense of this vast
number of signals.

Since board members and other senior executives are rarely skilled
cybersecurity pros, CISOs are best served by quantifying cyber-risk in
financial terms that these stakeholders understand. By communicating
in the language of business, rather than technology, CISOs will find a
more receptive audience that better understands the information
security program and is more likely to provide support for infosec
team requests.

Step Two: Build a Board Presentation

Slide No. 1: Where are we on the cyber-risk spectrum?
● This first slide can help the CISO identify where their company is
on the cyber-risk spectrum from the data gathered by the risk
dashboards. Then he or she can quantify the risk scores in financial
terms based on current security controls and outline the business
impact of a breach.

Slide No. 2: Quantify cyber-risks across the business.
● Every enterprise is organized differently, so CISOs should break
down risk areas in pre-existing structures. This might mean organizing
by business unit or asset type. Regardless, the idea is to communicate
the highest risk areas of the business that need additional focus.

Slide No. 3: Show progress with risk trends.
● In this slide, CISOs can offer a high-level summary with
visualizations showcasing how risk levels have changed since the last
board meeting. CISOs can also point out specific areas of risk that
have decreased or increased and support those conclusions with data.

Slide No. 4: Where do we want to be?
● An open conversation with the board about where the organization
should be on the cyber-risk spectrum is key. Companies have an
ever-expanding attack surface as data grows and technology
accelerates. In addition, employees are shifting toward remote work,
which brings a whole new layer of security concerns.

Slide No. 5: How will we get there? Lay out a plan.
● In this last slide, CISOs can present a prioritized list of projects
and deployments for the next quarter and the expected impact on
overall risk relative to projected cost.

● To answer "how we will we get there?" effectively, CISOs need to
know their security posture's most vulnerable areas. They can then
present the top risk groups that need to be addressed, building a case
by comparing the cost of mitigations to the likelihood of a breach and
business impact of a breach for each area.

Step Three: Develop a 2021 Budget
CISOs recognize they cannot reduce their organization's cyber-risk to
zero. Still, they can reduce it as much as possible by focusing on
eliminating the most significant risks first. Therefore, when
developing a budget, CISOs should consider a proactive risk-based
approach that homes in on the biggest cyber-risks facing the business.
This risk-based approach allows the CISO to quantify the risk across
all areas of cyber weakness, and then prioritize where efforts are
best expended. This ensures maximum impact from fixed budgets and
teams.

The fact is, the National Institute of Standards and Technology
reports that an average breach can cost an organization upward of $4
million —  more costly than the overall budget for many organizations.
Consider a scenario where one CISO invests heavily in proactive
measures, successfully avoiding a major breach, while another invests
primarily in reactive measures and ends up cleaning up after a major
breach. The benefit is that one (the proactively inclined CISO) ends
up spending 10x less overall.

As a CISO, if you place yourself in the board's shoes and clearly
communicate and quantify your organization's overall cyber-risk, your
message is better received, and you're more likely to get the support
needed to transform your company's cybersecurity posture.

A Solid Foundation for Board Presentation Success
While there is more awareness among top leadership and board members
regarding the daunting challenges of cybersecurity, a board member's
view of cybersecurity is primarily concerned with cybersecurity as a
set of risk items, each with a certain likelihood of happening with
some business impact.

To present an accurate plan and budget, CISOs must understand the
organization's IT inventory, including asset criticality, other risk
items, and which compensating controls are effective. An AI solution
can help an organization analyze the data signals across the attack
surface on a continuous, real-time basis to quantify risk, prioritize
the most important tasks, and define a plan and vision for the future.

As such, answering these questions ahead of time will help CISOs
define a plan and take the organization in a positive direction.