Cyber Risk And The C-Suite

CERT-LatestNews Malware Security News ThreatsCybercrime Uncategorized

Cyber Risk

Enron changed the world of finance and the energy industry forever, and the early days of the Equifax hack look as though this breach could change the face of the credit industry and cybersecurity forever. That a single company could amass so much financial information on an individual and be as poorly defended as it was just emphasises the importance of communicating security and risk effectively to your Board of Directors.

As an infosec director, I’m often asked about the biggest challenges faced by CISOs. Again, and again, one key issue surfaces: the need for CISOs to deliver meaningful metrics to their Board of Directors. Boards that are not comprised of security professionals are increasingly funding new cybersecurity programs and initiatives without understanding what information they want or need. They call for metrics, and the CISO is left wondering which metrics to present that will mean something to the board.

To understand which metrics CISOs should deliver, CISOs need repeatable processes and an understanding of risk management. CISOs need to meet board members where they “live” — meaning they need to be talking about the same objectives if the metrics are to make sense.

The Cyber Boardroom Backdrop: An Evolving Digital Landscape

Boards want to know that the security tools they paid for are working. Unfortunately, security professionals are all too often presenting slides which show hundreds of thousands of anti-malware alerts to evidence return on investment.

Business leaders are more interested in are risks to their organizations than fancy threat dashboards. Executives want to understand the high-impact risks and impediments that get in the way of their companies being successful. But the fancy dashboard doesn’t prove that security is actually working. It’s a “can’t see the forest for the trees” problem — that is, the flurry of alerts and the charts we make to show them may be hiding the true high-risk security impacts.

And we’re right to be concerned that we aren’t measuring the things that matter. This comes at a time when organisations are undergoing digital transformation and taking more and more of their business to the cloud or environments they don’t completely control. Unfortunately, this transformation presents new opportunities for criminals too. The breadth of capabilities and commitment of the bad guys has changed seismically.

This is tough for executives outside of the cyber world to understand. Five years ago, they signed the checks for antivirus programs and a few hundred one-time password fobs; now their security teams are demanding sandboxing, decryption capabilities, security analysis platforms, IPS. The threat landscape is now almost unrecognisable to that of yesteryear and increasingly difficult to convey at the board level.

Boards are also affected by increased security regulations, media coverage of security breaches, and embarrassment, and even a trip before a government panel when security fails. Board executives want to protect not only the reputation of their companies but also their own personal brands. No one want to be the person at the helm of a company that has been breached. Our job as security leaders is to make the C-suite feel prepared and briefed on the threats that can impact their organizations — and we need to do so in a way that avoids esoteric geek-speak and is centered around risks.

Getting A Foot In The (Boardroom) Door: Start With The Context

So, your board has asked you to update them on the organisation’s security risks. What can you tell them that’s relevant to their viewpoints, and isn’t mired in geek-speak?

Cyber Risk And The C-Suite