[BreachExchange] CISOs: Quantifying cybersecurity for the board of directors

Destry Winant destry at riskbasedsecurity.com
Wed Apr 22 10:24:10 EDT 2020


Only 9% of security teams feel as if they are highly effective in
communicating security risks to the board and to other C-suite
executives, according to a recent survey conducted by the Ponemon

As a CISO, it can seem as though it is impossible to effectively
explain and report the importance and workings of the organization’s
cyber-risk program to an audience that views cybersecurity as yet
another difficult to understand, technical topic. As a result, many
board and C-Suite decisions related to security are made with gut
feelings and with insufficient data.

When CISOs place themselves in the board’s shoes and clearly
communicate and quantify overall cyber-risk, their message is better
received, and they are more likely to get the support needed to
transform the company’s cybersecurity posture.

Approaching cybersecurity through the board of directors’ perspective

CISOs must reconsider their communication approach and perspective
prior to a board and/or C-Suite discussion. It’s crucial that they
report cyber-risk in a language that the board and the rest of the
C-Suite can comprehend. It can be quite frustrating to explain
advanced malware or technical controls to an audience who is not savvy
about the technical details of cybersecurity.

>From a board member’s perspective, cyber-risk posture is viewed as a
set of risk items with corresponding business impact and associated
expense. The board wants to know where the enterprise is on the cyber
risk spectrum, where it should be, and, if there’s a gap, how it’s
going to close it. CISOs should focus on shifting the conversation
from cybersecurity to cyber risk and provide concise, quantitative
responses to the board’s questions without the use of overly technical
terms or concepts.

Quantifying cybersecurity for the board of directors

A CISO must properly and accurately quantify cybersecurity risk and
business impact when reporting. Given the massive size and complexity
of the enterprise attack surface and the practically unlimited
permutations and combinations by which an adversary can carry out a
cyberattack, this is no small task. Done appropriately, and much
needed executive level support and funding for information security is
more likely to be had.

When quantifying cyber risk, there are four key areas to keep in mind.

1. Identifying the key areas of the business at risk of cyberattack
and the current controls in place. As an example, if an organization
prioritizes the risk of loss of intellectual property, the CISO will
define this as a key risk item and help their colleagues understand
how the cybersecurity program is aligned to managing this risk.

2. Comparing and quantifying their cybersecurity posture against peer
organizations. It’s important to consider that board members and
executives are most interested in knowing the level of acceptable risk
that is appropriate, and comparison is a common method used to grade

3. Quantifying internal benchmarking data will ensure that the CISO is
showcasing what parts of the organization’s current cybersecurity
program are working and what are not. With this data, the board can
easily view how risk is distributed in the organization and the teams
or areas that are driving the greatest risk. CISOs must present at a
high-level the types of actions necessary to remediate key risks to
bridge the gap between perceived risk in the boardroom and the actual
on-network conditions.

4. Presenting a plan to achieve the recommended level of cyber-risk
and providing quantifiable insights on improvement. A CISO’s plan
needs to be converted into an easily digestible, high-level list of
small steps or initiatives, each with corresponding time frames,
required resources and a dollar cost. Furthermore, given that the
board will expect the CISO to drive and execute a plan, he or she must
quantify all the responsible constituents involved. During the next
quarterly cybersecurity review with the board, quantifiable
improvements that show the risk reduction outcomes a CISO’s team has
achieved over time should be highlighted.

If CISOs are unable to communicate and unable to quantify their
cybersecurity program, priority projects don’t get funded which leads
to increased breach risk. Fortunately, today, there are many tools on
the market that significantly improve CISOs’ ability to effectively
and systematically report to the board.

Platforms are available that can analyze the entire attack surface in
order to obtain a more accurate view of breach risk, compute a risk
score for the enterprise, then compare that score against peer
organizations. Not only will this allow for more transparency in the
company’s security posture, but it will increase the business’
security teams efficiency and reduce risk by seeing which actions need
to be taken in order to improve security posture.

More information about the BreachExchange mailing list