[BreachExchange] Communication is Broken Between CISOs and the Rest of the Business

Fri Nov 2 09:37:05 EDT 2018

https://www.securityweek.com/communication-broken-between-cisos-and-rest-business

In a recent survey of business communication by the well-known audit
and consulting firm PwC, board directors were asked to rate the
quality of presentations they receive from senior managers. CISOs
ranked at the bottom of the list with just 19% of CISO presentations
being rated as “excellent.”

Ask a CISO for a reaction, and you might get this: “The problem is the
C-suite and the board just don’t understand technology.”  Continuing
with, “I showed them the stats on our patching cadence, CVSS score and
NIST CSF maturity rating and they just looked at me blankly.”

Time was, the rest of the business might have bought into the idea IT
security was unique among business functions, with processes,
standards and language too technical to be understood by ordinary
business folk.  Cybersecurity management is technical, the thinking
went, therefore the results could only be expressed in technical
language, too.

That era came to a crashing end in the last few years when crippling
malware and devastating data breaches made cyber risks a clear and
present danger for the entire organization. Now, board members and
senior management are likely to wave off CISO techno-speak and push to
get their questions answered on their terms.  Questions like:

CFO: “How much cyber risk do we have?  Are we spending too much or too little?”

Audit: “Did you fix the high priority issues?”

CIO: “Are we spending our cybersecurity budget on the right things?
What’s the ROI?”

Board/CEO: “We don’t want to be the next news headline. Are we secure?”

Now, the tables have turned: It’s the CISO who faces a vocabulary test
at every senior-level meeting. Forward-looking infosec leaders are
realizing they need to align themselves with the way the rest of the
business thinks or fall into irrelevance.

Here’s some bottom line advice for any CISO looking to restart
effective communication with the rest of the business: Follow the
money. Understand that, if you’re not communicating about cyber risk
in business terms, dollars and cents, you’re not communicating.

That means a shift in how CISOs understand cybersecurity risk. Factor
Analysis of Information Risk (FAIR), an international standard model
for quantifying cyber risk in financial terms, provides a pragmatic
way to approach the problem.

According to FAIR, a risk always involves a “loss event” – in other
words, the probability that some threat actor, e.g. a cyber criminal,
uses some technique, e.g. use of stolen user credentials, that results
an adverse effect, e.g. a data breach, causing a form of financial
loss within a certain timeframe.

So, a risk is not a vulnerability, ransomware, the cloud or Fancy
Bear, but rather they might be factors that contribute to risk.

It’s an exercise in critical thinking that clears away a lot of the
mental brush for CISOs that mix up communication. With a focus on loss
events, infosec leaders can start analysis of probable occurrence and
probable impact of cybersecurity incidents, based on internal or
industry data, and frame the conversation truly around risk, much as
other business units can discuss market, financial, operational or
enterprise risk. As in other risk management disciplines, cyber risk
can be estimated as a range of probable financial outcomes, not “8 on
a scale of 10” or “yellow but not as bad as red.”

A CISO can start directly answering questions on how much cyber risk
the organization faces, what risks are higher and lower priority,
where spending on controls should be directed and, based on experience
with the effectiveness of those controls, what’s an expected return on
investment in terms of risk reduction. For that ultimate, senior
management/board question, “Are we secure?” there’s a ready answer, “I
can’t promise complete security, but I can give the organization the
means to make an informed decision on what financial level of cyber
risk we want to carry based on the level of investment.”  Guaranteed,
there won’t be blank stares.