On March 7th, 2017, a bipartisan bill was introduced to the U.S. Senate called the Cybersecurity Disclosure Act of 20171. The bill’s purpose is to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.” It adds Securities and Exchange Commission (SEC) requirements for public companies to disclose what cybersecurity expertise is present within the board of directors. If no expertise is present, then the company must disclose in its SEC report “what other cybersecurity steps” are being taken by the board nominating committee. Whether this bill become law or not, it is a shot across the bow to executives. The Senate is likely tired of calling company executives before it to explain the colossal leaks of consumer personal data, as seen in the last few months of Yahoo hearings2.
With all this going on, it’s likely that boards and executive leadership are going to be buttonholing their CISOs into cyber risk conversations. Just a few years ago, security professionals struggled for executive interest (let alone support), but now we are in the hot seat for answers. And what a hot seat it is. A recent survey revealed that 66% of fired IT professionals were terminated for reasons of security or compliance failures3. Understating or burying cyber risk is usually a ticket to termination as well, so it’s important that you speak up. So, we need to make sure leadership understands the relevant security issues and can help mitigate them.
We know it’s important for CISOs and executive leadership to collaborate on security, but it’s not an easy task. One reason is that CISOs and execs don’t speak the same language. You aren’t going to be showing the board of directors the same PowerPoint deck you use with employees, or even managers. You need to tailor your message for your audience. We’ve talked about using operational risk to frame the conversation,4 but there is value in a straightforward approach, as well.
To do this, you simply prioritize and make things quantifiable. Prioritizing means you focus on the top cyber risks and providing just the information the board really needs to know. A good place to focus is on the state of company culture regarding security. How far off is it from where it needs to be and how can leadership recalibrate it. You’re not going to get a consensus of attention regarding security unless the message originates from the top. So, this is where you should start. And once it’s started, it’s something you can revisit with the audit committee or Board. You can produce metrics on alignment with things like numbers around security awareness training attendance, patching completeness, audit findings, counts of software defects related to security, incident counts, and backup coverage. You can even make a nice radar chart to show the percentages and quickly make the deficiencies apparent.
Beyond the overall status of the program, you need be able explain cyber risk in terms that executives can understand. Keep it simple and remember this important nuance: many people don’t realize that risk has two components: likelihood and impact. For example, some people tend to react to catastrophic impacts (what are we doing about Pottsylvanian hacker-spies?), which are rare, while overlooking the more likely risks (like ransomware). If a threat is prevalent and in the news a lot, people will overestimate its likelihood (such as insider data leakages) without looking at the actual statistics (around 10% of reported incidents5).
It shouldn’t be hard for you to find likelihood data. In addition to industry statistics and open source threat intelligence,6 you can gather information internally within your organization. Sources of data can include data like that used to create the radar chart above, as well as firewall, intrusion detection, web, and mail system logs.
Impacts are easier to talk about because these are what keep folks up at night. However, you need to move beyond vague feelings of dread and help people understand the real potential impacts to your business. Impact costs can vary greatly depending on your industry, your data scope and compliance, business functions, and how much you outsource. However, you as a cyber security expert are in a better position than anyone else to describe those impacts to the board. Talk in terms of tangible and intangible losses that resonate with them, including:
- Tangible costs:
- Breach disclosure costs (PII record count x disclosure cost / record)
- Customer SLA fines
- Revenue loss during system downtime and recovery
- Compliance and audit fines
- Potential litigation and fines down the road
- Incident response costs, including internal resources (OpEx), third party breach experts, required remediation controls, and effectiveness testing
- Intangible costs:
- Impact to your brand (the business puts a value to this—usually found as an asset line item in your financial books)
- Current and future customer perception and loss
- Loss of business value in acquisition discussions
- Competitive advantage loss
- The board’s personal reputation and/or jobs
When presenting likelihood and impact, stick to the simplified High/Med/Low model. Everyone is aware that there are more layers, and most execs would understand a more complex model, but their time is limited and they just want the Cliff Notes version. In cases where the risk is high, then they will probably press for details.
Lastly, never present a problem without an accompanying solution. Make sure you have a solid mitigation plan (with proposed budget numbers) to resolve anything rated high risk. Executives want clear lines of responsibility among business owners—they want to know who’s responsible for remediation, and the budget from which the remediation tasks will be paid. Never present risk without clear information about ownership and responsibility. The chances are likely the board has already dealt with high risk, non-cybersecurity scenarios before. If you’ve done your job well in explaining, you can sit back and let them decide what to do. But, as the cyber security expert, you should still be prepared to give them guidance or validation.
The first time you do this, it might seem like a lot of work, but for effective CISOs, it is routine. Risk assessments and reporting with the board should be happening at least annually. The first risk assessment is the foundation which you update with new risks as things change within the organization. As cyber risk is better understood and managed, you might need to only present updates if something significant or material has happened. This is the ideal position—not only does it mean everyone is sleeping at night, it means the board trusts you.