A Chief Information Security Officer is a person who is always in a tough spot. Not only is a CISO responsible for the day-to-day safety of their organization, but they must be able to explain to the C-Suite what is going on from a cybersecurity perspective and do so in language that the other executives understand.
After all, what a CISO has to say is all about protecting the business from threats to its computer system and reducing risk, items that need to be on every corporate management agenda.
The concept of protecting an organization from a cyberattack is quite well known. Attacks happen daily, are covered by the mainstream news so it makes sense that those occupying the C-Suite would be well versed in understanding this potentially existential danger to their organization.
But, this is not always the case. Many people occupying this rarified place in the business world bring different skills to the board room, skills that not necessarily technical, and many may simply have not had the time to learn the ins and outs of cybersecurity.
To help those CISOs struggling to find the right combination of words and tactics we sat down with Rob Horne, Principal Consultant, Cyber Advisory at Trustwave, who offered up some tips.
1. Why do so many executives still lack a solid grasp of the dangers that exist?
Some of this, I think, has to do with the fact that those in the C-Suite believe their internal resources are sufficient to handle the security issue and are more concerned about costs. To rectify this a CISO must speak in the right language.
As an industry, we’re awash with acronyms and new technical terms for the latest piece of technology, then we wonder why nobody understands us. We need to use language that translates to an executive’s vocabulary and knowledge.
To give an example from the world of finance, the meaning of ‘net income’ is straightforward, but if I said EBITDA would I expect you to know what I meant? However, this is only half of the story; we need to take a more holistic view and provide the context, as executives also need to understand who is a threat and why.
2. What are the most common security topics that higher level executives don’t, but need to understand?
The most common problems that can be incurred by a cyber incident are disruptions to the business/productivity; being unable to transact business for a period of time; the impact this has to the bottom line; and finally, the impact to customers; that being the loss of goodwill and reputation.
Potential impacts and outcomes can start from minor technical disruption to loss of the entire business, personal regulatory fines and even custodial sentences. That’s not meant to be a scare tactic, it’s a realistic estimation of extreme consequences, and when planning for disaster it’s wise to plan for the worst.
While we may be in the twenty-first century the online environment is still very much akin to the old Wild West: lawless, dangerous, and uncertain. Operating with a sufficient level of resilience takes internal effort and resources, and these requirements also need to be communicated and understood to those who run the company.
3. What are a couple of key talking points a CISO needs to keep in mind when briefing the C-suite?
First, cybersecurity isn’t a point in time, it’s an ongoing issue. After all, bad actors don’t go away after you address vulnerabilities on any given day. Second, communicating the depth and breadth of knowledge required to stay up to speed with what is happening in the world of cybersecurity.
There are no simple solutions in such a fast-paced, evolving world, there is no silver bullet; this means information must be presented as a journey with no pre-defined destination. This is an important point because, as a CISO, you will need to ensure your audience isn’t expecting you to solve the big issues, but at the same time, they need to understand continually fixing the small issues is a required and valid approach.
Along similar lines, make them aware that the latest all-singing, all-dancing technology is not a panacea, as it may not be the right tool for your business. It’s functionality may be achievable with existing tools, it may require new staff or existing staff to learn new skills to manage.
Furthermore, cyber resilience requires a layered approach, many controls backed by policies and procedures, working together in harmony. A CISO will need to explain to the C-Suite their role is to spin hundreds of plates at the same time where just one falling could bring the rest crashing down.
4. Risk Appetite is a popular phrase tossed about now to describe how a company should determine the extent and expense it is willing to incur to protect itself. Can you give a brief definition of Risk Appetite and how an organization can go about determining its Risk Appetite?
Risk is a combination of factors: how likely is it to happen, what will the impact be, are we vulnerable to it occurring. But it gets a little more complicated when you consider one vulnerability can have an effect on multiple risks, and two small risks combined could lead to a more serious impact. Only when you’ve worked out a quantitative way of defining risks can you move forward.
However, this step is not easy. Understanding and determining an organization’s risk appetite is complicated enough that we will dedicate our next blog to the topic.
5. How important is it to have cybersecurity metrics on hand when conducting a C-Suite briefing? What are a few of the most important metrics the board needs to understand?
Metrics need to tell a story and that story can be about how you’re trying to hit a constantly moving target, which is evolving while the organization is changing how it reacts. However, metrics need to be understandable, so clarity and simplicity is key; trying to get too many messages into a metric will devalues it, if the messages are worth telling split them up and tell them separately.
But metrics can do a lot more. Many metrics are operational in nature, they show what has been done; outcome-driven metrics should be used to tell a story about a business objective, provide context and be qualitative in nature. From the CISO’s perspective, metrics can add value to the decision-making process in terms of budget and resource requests, as they will clearly demonstrate how you are going to achieve a corporate objective and what you need to do so.
6. How can a CISO faced with keeping their C-Suite up to speed improve and how can Trustwave help in this endeavor?
Keep the message front and center, test their understanding and add to their knowledge. Today, more than ever, the need for cyber resilience remains critical in a constantly changing environment.
The past few years have seen a move away from centralized physical facilities to the work from home culture, while at the same time this has changed the traditional cyber defenses with the increasing reliance on cloud and the need to tale a zero trust approach. Reporting to the C-Suite is the CISO’s method to validate their value, demonstrate progress and publish achievements; metrics are the tools that bring this to life, let Trustwave help you get the most out of what you say.
Trustwave has many years’ experience in helping organizations achieve a high level of cyber resilience across multiple industries. Because of this, we can help CISO’s assess, improve and test their security, but also help present the value these activities are bringing to the organization.