[BreachExchange] CISO do’s and don’ts for board reporting

[Destry Winant]

https://www.helpnetsecurity.com/2019/06/13/ciso-board-reporting/

Security is no longer just a job for IT – it impacts all areas of a
business, from brand perception to the bottom line. As a result, CISOs
are increasingly being asked to deliver cybersecurity reports to their
boards, including information on global trends, security performance,
security strategy, and security spend.

In an ideal world, this increase in board visibility would foster a
new collaborative relationship between security leaders and their
executive stakeholders; one that breaks down traditional security
silos and allows security strategy to become a shared responsibility
more aligned with overall business goals and objectives.

But the reality is something different for many organizations, with
frustration being felt on both sides: According to Gartner, by 2022,
only five percent of CISOs will report security metrics that are
useful to their senior business executives. On the flip side, research
shows that a majority (56 percent) of security leaders feel that their
corporate boards are not active participants when developing and
executing the company’s security strategy.

How can CISOs do their part in moving the conversation forward?

The biggest impediments when it comes to effective board involvement
in cybersecurity boil down to not having the right communication
strategy and overlooking the nuances of communicating with the
audience at hand. For example, security executives often find it
challenging to communicate security updates to board members, who are
typically incredibly well-versed in business risk but may struggle to
interpret technical security reports.

Rather than an update on firewalls and intrusion detection software
deployments, what board members need is an acute understanding of
their business’s security posture and risk to inform better business
decisions. Read on for critical steps security executives can take to
effectively communicate with their business risk-driven boards for
smoother, data-driven conversations to give them just that.

Zero in on the right topics

When reporting to the board, CISOs should provide an overview of
noteworthy issues that may impact executive-level decision making. For
example, security leaders should come prepared to address any
high-profile breaches that occurred over the previous quarter,
particularly those that affect similar size and sector organizations
or those with the same technologies. Engaging with board members on
industry trends is an important way of informing members while
establishing personal credibility.

CISOs should also identify noteworthy legal or regulatory issues and
their application or impact on the business. Whether the information
is the latest notice from a federal regulator about its yearly
examination priorities, emerging legislation in the U.S. Congress, or
new global security requirements overseas, CISOs should be able to
analyze the application of these issues to the business and provide
brief, informative insights for board members. This is a great way for
CISOs to partner with their legal teams to deliver relevant analysis.

Use meaningful security performance metrics

At the end of the day, boards want information but they desire
meaningful metrics above all. Boards want to measure security the same
way they measure other aspects of the business – with an objective,
quantitative update on the effectiveness of the company’s
cybersecurity performance.
CISOs must be able to talk to progress against security performance
goals and objectives.

Questions to prepare for include:

- How do we quantitatively measure our performance?
- Do we leverage objective data and track performance over time?
- Are we improving our performance?
- If security performance is on the decline, what is the reason and
what steps are being taken to fix it?
- How does our performance compare to our peers or competitors in our industry?

In addition to leveraging their own internal data, CISOs should be
tapping objective, continuous monitoring data that easily quantifies
their business’s internal cybersecurity posture, their industry peers’
or competitors’ posture for accurate benchmarking. The right metrics
provide a dynamic, tangible measurement of cybersecurity performance
and can be used to communicate either improvement or deterioration
over time, and can help CISOs easily map any fluctuation back to
broader business goals and objectives. Many CISOs have found that
leveraging security ratings provides an excellent, independent and
objective overview for boards to measure the organization’s efforts.

Focus on telling a story

When communicating with the board, CISOs need to be more than security
experts – they need to be storytellers. The best CISOs are able to
talk about security incidents, regulation and policy, and the
business’s security performance in an engaging, narrative-driven way
that is focused on operational and financial risk.

Effective communication to the board also includes telling a highly
visual story. Beyond Excel spreadsheets, CISOs should build
presentations that discuss and showcase the company’s security
progress visually, through charts, graphs and images. CISOs should set
aside time to invest in the measurements and aesthetic of the
presentation, but also focus on distilling it down to effectively
communicate the most business-critical takeaways.

Stay in constant contact

Most boards are addressing cyber risk at least on a semi-annual basis,
if not every quarter to review performance and progress toward goals
and includes board-level representation. The cybersecurity landscape
changes so rapidly that a regular cadence is required to most
effectively capture updates to the security program and potential
threats.

Regular meetings will provide a regular moment in time to update and
engage with the board on the company’s cybersecurity overall strategy,
previous risk, and plans to avoid emerging risks transparently.

Foster collaboration

Cybersecurity should be considered a living, breathing part of an
organization’s ecosystem, not just a siloed department. Security risks
can impact customer and shareholder relationships, the bottom line,
and a company’s overall reputation, and should be understood and
prioritized by all members of an organization. Thinking of security as
a business enabler – not just a cost center – is an important mindset
for the CISO to adopt to achieve greater board and executive-level
buy-in.

By leveraging these methods of communication and reporting, CSOs and
CISOs can effectively collaborate on cybersecurity strategy with the
board, and build a stronger, more resilient yet fluid plan for cyber
performance improvement.