Communications Breakdown: CISOs & Company Boards

Uploaded on 2016-03-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Bay Dynamics: The CISOs Ultimate Guide to Reporting to the Board

Bay Dynamics recently released a report that surveyed information technology and security officers about the types of cybersecurity activity they report to their board of directors. The report concluded that chief information security officers (CISO) and the board of directors don't adequately share cybersecurity threat information.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Bay Dynamics Chief Executive Officer Feris Rifai.

The Bay Dynamics report indicates that CISOs are confident on what cybersecurity threat information to present to the board and what type of information the board wants to hear. However, much of this information is either misunderstood or too technical. What can the CISOs do to streamline the process to provide more actionable information?

In order for the board to make decisions regarding an organization’s cybersecurity risk posture, they need quantitative information that is framed in the context of relevant business concerns.

The challenge for the modern CISO is to translate cybersecurity risk into a language that non-security practitioners can understand and use to drive decisions. The cybersecurity metrics shared may differ from one company to the next; but, ultimately you want to provide your board with highlights of significant risks to the business in an effort to help them achieve effective oversight and facilitate the right action that can help you reduce your company’s cybersecurity risk.

For example, as an IT and security executive, you may want to inform the board how you are currently protecting the company’s crown jewels (e.g. employee credentials, customer credit card information, health care records, trade secrets, etc.), and then describe how the risk to these crown jewels can be mitigated by making certain investments. Do this in plain English and without security-specific technical jargon. Quantify what’s at stake (the value at risk), what you are currently doing about it, and what else you can do to reduce your cybersecurity risk.

Another example could be discussing the kind of attacks you’re seeing on companies in your industry, such as compromised third party vendor credentials who have access to the company’s crown jewels, and then providing an assessment of the business impact of such an attack with an estimated dollar amount in loss of sales, reputational damage, liability, etc., and finally making a recommendation to the board as to managing that very risk. This in turn helps you and your board, justify an investment that may be much needed for you to prevent or drastically reduce the likelihood of such an event.

IT and security executives should also provide progress reports over time regarding how those decisions helped reduce the overall cybersecurity risk of the organization. This enables your board to see how their decisions directly impacted the cybersecurity risk posture of the organisation.

Ultimately, cybersecurity is a risk management problem. IT and security executives want to show the level of risk the organization faces today and that by taking certain actions the board can help reduce it. The board understands and speaks the language of risk. By speaking the board’s language, IT and security executives will be able to gain their support in helping them improve the organisation’s cybersecurity risk posture.

Cybersecurity reporting is dominated by manual methods—i.e. manually imported excel files. What are the pros and cons of a manual method? If a manual method is not a best practice is there technology that exists to automate the process?

Most enterprises have siloed IT and security systems and teams, and cobbling together board reporting manually by compiling spreadsheets that include subjective data massaging to make everything line up has significant downsides. Not only is it a major drain on resources and productivity, but it can also provide a false sense of security that hides serious deficiencies from both the IT/security executives and in turn the board.

Whether it is due to intentional manipulation or human error, it leads to incorrect reporting and oversight of important data. In the end, IT and security executives may wind up with outdated and/or partial data, or overlook critical data that the board needs to make informed decisions.

IT and security executives need a repeatable, automated and traceable process to reflect the organization’s true cybersecurity posture. There is technology that provides that. We call it “The Great Unifier.” User and entity behavior analytics combined with advanced situational awareness software unifies organisation’s security controls by collecting data from them and producing automated, accurate reports that reflect the organization’s cybersecurity risk posture.

The software adds a layer above an organisation’s security detection tools, providing a consistent view across data sets and enabling IT and security executives as well as the board to make good, informed decisions. The software helps organizations measure, communicate, and reduce their cybersecurity risk. It distills what’s happening in their environment down to providing information IT and security executives can serve to the right people at the right time for the right action.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

The frequency of cybersecurity threat information presented to the board is lacking, according to the report. How can CISOs and the board of directors balance an overload of information versus underreporting of cybersecurity threats?

IT and security executives should focus on addressing the board in a holistic manner. Obsessively reporting every cyber-metric possible is not the answer.

We believe there are three major areas that IT and security executives need to communicate to their board. The company’s cybersecurity history with a focus on learning from the past, what is the current state of affairs and where IT and security executives would like to make changes to improve the organization’s overall cybersecurity risk posture.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

They should also continually come back to the boardroom and show what they are doing at that time relative to what was discussed and approved by the board in previous meetings. It’s equally as important to share with the board how their latest cybersecurity investments have reduced the organization’s overall risk. IT and security executives should explain what they were looking to do when they last spoke with the board, where they are now and where they think they will be moving forward. This kind of tracking enables the board to see a tangible cybersecurity risk reduction being made while they were steering the ship.

IT and security executives get limited time with the board. They should use that time to share the actual risks that could impact the organization and then get the board to help address those risks, and empower them to reduce them in the process.

The Chief Legal Officer or General Counsel should be the overseer of both parties. They play an important role in making sure IT and security executives are reporting information based on an automated, repeatable process and the board is holding them accountable for doing so. It is legal executives’ responsibility to do whatever they can to help the organization avoid litigation and that means getting involved, rolling up their sleeves and informing both parties what their responsibilities are in minimizing the organization’s cybersecurity risk.

They should share with the board what is expected of them including demanding that IT and security executives provide them with actionable information so that they can make informed decisions about the organization’s cybersecurity risk. On the other side, legal executives should make sure IT and security executives are aware that the information they are sharing with the board needs to be trustworthy and traceable. Legal executives can explain how both sides have a part in cybersecurity risk reduction and they can help bridge the gap in communication by making sure both parties understand their responsibilities.

BNA: http://bit.ly/1U5bCiV

« Who Is Winning The Cyber War?
Data Security Puts Innovation At Risk »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Gurucul

Gurucul

Gurucul predictive security analytics protects against insider threats, account compromise and data exfiltration on-premises and in the cloud.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

Iceberg

Iceberg

Iceberg has been established to provide companies with cyber security experts who will protect businesses from the unseen threat of cyber crime.

IronNet Cybersecurity

IronNet Cybersecurity

IronNet’s product and services provide enterprise-wide security management and visibility of your network, users and assets.

Vehere

Vehere

Vehere specialises in mission critical signals aquisition and analytics platform and cyber defence systems.

Cofrac

Cofrac

Cofrac is the national accreditation body for France. The directory of members provides details of organisations offering certification services for ISO 27001.

Hacken

Hacken

Hacken provide a range of cybersecurity services including security assessments, blockchain security audits, and secure software development.

OSIbeyond

OSIbeyond

OSIbeyond provides comprehensive Managed IT Services to organizations in the Washington D.C., MD, and VA area including IT Help Desk Support, Cloud Solutions, Cybersecurity, and Technology Strategy.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

Rede Nacional CSIRT

Rede Nacional CSIRT

Rede Nacional CSIRT is a national network of CSIRTs in Portugal aimed at cooperation and mutual assistance in the handling of incidents and in the sharing of good security practices.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

Proximus Ada

Proximus Ada

Proximus Ada is the first Belgian center of excellence combining artificial intelligence and cybersecurity.

Data Computer Services

Data Computer Services

Data Computer Services provides professional tailored IT Support and IT Services for businesses throughout Edinburgh and the Lothians.

Network Coverage

Network Coverage

Network Coverage align, maintain, and integrate technology and cloud solutions with business operations to improve productivity and security with as few issues and disruptions as possible.