[BreachExchange] CISOs must help their boards manage cyber risk — here’s how

Wed Apr 28 10:37:29 EDT 2021

https://venturebeat.com/2021/04/24/cisos-must-help-their-boards-manage-cyber-risk-heres-how/

In one of the more memorable scenes from the film “Jerry Maguire,” Tom
Cruise’s character, a football agent, can be seen pleading with his one
client, begging him to just “help me, help you.” Maguire kept repeating the
line, hoping to break through to the player, trying to convince him to
change his attitude in the hopes it would help him land a big contract from
his team.

This scene came to mind recently when I was thinking about the relationship
between CISOs and their boards of directors. Cyber attacks on a corporation
can exact a high price — in money, reputation, and lost business. CISOs
battle day and night to prevent their company from suffering a crippling
cyber attack, yet too often they don’t receive the help or support they
need to properly execute their roles. As a result, CISOs often can’t get
enough money to hire staff and purchase the systems that can prevent
cyberattacks, can’t raise consciousness among executives to pay attention
to cybersecurity issues, and can’t persuade boards of directors to focus
more of their attention on cybersecurity needs.

For CISOs today to be successful, therefore, their responsibilities must
not only include building a robust cyber defense strategy on a limited
budget but also convincing their corporate boards of directors — the group
eventually responsible for their budget — that cybersecurity needs to be a
budgeting priority. Yet, according to a report issued by consulting firm
EY, the board is not engaged in the cybersecurity debate. In the report,
nearly half of CISOs said their board “does not yet have a full
understanding of cybersecurity risk,” and that just 54% of organizations
regularly schedule cybersecurity as a board agenda item.

Getting the board onboard
How then, can CISOs convince their boards that cybersecurity spending needs
to be a priority, and how should they express that need in a way boards can
relate to?

The first priority for CISOs to advance their objectives is to ensure that
board members understand the business issues — and not just the IT issues —
involved in cybersecurity, stressing the damage that a cyber attack can
have on an organization. Using real-life case studies at quarterly board
meetings will help drive the point home — such as the object lesson
furnished by Yahoo’s 2013 data breach, perhaps the most expensive in
history. That breach cost Yahoo $50 million in damages, paid to customers
whose details were revealed; millions of dollars more in fees for free
credit monitoring it agreed to supply victims as part of its settlement;
and a $350 million discount in its sale price to Verizon.

However, it is not enough for CISOs to highlight the potential damage a
cyber attack can cause. Working with colleagues from across the company,
they must also convincingly demonstrate the benefits that a robust cyber
program can have for a business, stressing the opportunity to pursue
additional revenue streams, target new customers, and upsell to existing
clients.

Along with the business aspects of cybersecurity, board members need to
both better understand the threats and come to appreciate the steps
required to mitigate those threats so they can make informed, strategic
decisions for the business. CISO presentations to the board need to include
a discussion of the constantly evolving threat landscape, with discussions
focused on how hackers choose their victims, how they penetrate networks,
which security systems are likely to prevent attacks, and how effective
they are.

What the board needs to see
Just as the CEO presents budget and corporate strategy reports to
directors, CISOs should present security plans, with details on how
security teams plan to defend the company and what they can do to minimize
damage if an attack does take place. Once boards understand the technical
issues, they will be able to understand the strategies presented to them —
and weigh in on whether even more needs to be done.

To further make their case to board members, CISOs should propose a formal
governance structure — similar to what the board would use for other
business objectives — that will allow for effective reporting and analysis
of data. That structure should include periodic audits and reviews,
assigning ownership, ensuring that funding is adequate to meet challenges
and needs, and developing monitoring mechanisms and accountability systems
with measurable KPIs.

Members of a board of directors usually get to that position because of
their business acumen. But in today’s cyber-environment, that business
experience must be filtered through the lens of the potential impact a
cyber event can have on a company. By helping their board of directors have
a “cyber-first” mentality, CISOs will help themselves, allowing their
company to develop a healthier and more robust cyber posture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210428/f2b599f6/attachment.html>