Communications Breakdown: CISOs & Company Boards

Bay Dynamics: The CISOs Ultimate Guide to Reporting to the Board

Bay Dynamics recently released a report that surveyed information technology and security officers about the types of cybersecurity activity they report to their board of directors. The report concluded that chief information security officers (CISO) and the board of directors don't adequately share cybersecurity threat information.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Bay Dynamics Chief Executive Officer Feris Rifai.

The Bay Dynamics report indicates that CISOs are confident on what cybersecurity threat information to present to the board and what type of information the board wants to hear. However, much of this information is either misunderstood or too technical. What can the CISOs do to streamline the process to provide more actionable information?

In order for the board to make decisions regarding an organization’s cybersecurity risk posture, they need quantitative information that is framed in the context of relevant business concerns.

The challenge for the modern CISO is to translate cybersecurity risk into a language that non-security practitioners can understand and use to drive decisions. The cybersecurity metrics shared may differ from one company to the next; but, ultimately you want to provide your board with highlights of significant risks to the business in an effort to help them achieve effective oversight and facilitate the right action that can help you reduce your company’s cybersecurity risk.

For example, as an IT and security executive, you may want to inform the board how you are currently protecting the company’s crown jewels (e.g. employee credentials, customer credit card information, health care records, trade secrets, etc.), and then describe how the risk to these crown jewels can be mitigated by making certain investments. Do this in plain English and without security-specific technical jargon. Quantify what’s at stake (the value at risk), what you are currently doing about it, and what else you can do to reduce your cybersecurity risk.

Another example could be discussing the kind of attacks you’re seeing on companies in your industry, such as compromised third party vendor credentials who have access to the company’s crown jewels, and then providing an assessment of the business impact of such an attack with an estimated dollar amount in loss of sales, reputational damage, liability, etc., and finally making a recommendation to the board as to managing that very risk. This in turn helps you and your board, justify an investment that may be much needed for you to prevent or drastically reduce the likelihood of such an event.

IT and security executives should also provide progress reports over time regarding how those decisions helped reduce the overall cybersecurity risk of the organization. This enables your board to see how their decisions directly impacted the cybersecurity risk posture of the organisation.

Ultimately, cybersecurity is a risk management problem. IT and security executives want to show the level of risk the organization faces today and that by taking certain actions the board can help reduce it. The board understands and speaks the language of risk. By speaking the board’s language, IT and security executives will be able to gain their support in helping them improve the organisation’s cybersecurity risk posture.

Cybersecurity reporting is dominated by manual methods—i.e. manually imported excel files. What are the pros and cons of a manual method? If a manual method is not a best practice is there technology that exists to automate the process?

Most enterprises have siloed IT and security systems and teams, and cobbling together board reporting manually by compiling spreadsheets that include subjective data massaging to make everything line up has significant downsides. Not only is it a major drain on resources and productivity, but it can also provide a false sense of security that hides serious deficiencies from both the IT/security executives and in turn the board.

Whether it is due to intentional manipulation or human error, it leads to incorrect reporting and oversight of important data. In the end, IT and security executives may wind up with outdated and/or partial data, or overlook critical data that the board needs to make informed decisions.

IT and security executives need a repeatable, automated and traceable process to reflect the organization’s true cybersecurity posture. There is technology that provides that. We call it “The Great Unifier.” User and entity behavior analytics combined with advanced situational awareness software unifies organisation’s security controls by collecting data from them and producing automated, accurate reports that reflect the organization’s cybersecurity risk posture.

The software adds a layer above an organisation’s security detection tools, providing a consistent view across data sets and enabling IT and security executives as well as the board to make good, informed decisions. The software helps organizations measure, communicate, and reduce their cybersecurity risk. It distills what’s happening in their environment down to providing information IT and security executives can serve to the right people at the right time for the right action.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

The frequency of cybersecurity threat information presented to the board is lacking, according to the report. How can CISOs and the board of directors balance an overload of information versus underreporting of cybersecurity threats?

IT and security executives should focus on addressing the board in a holistic manner. Obsessively reporting every cyber-metric possible is not the answer.

We believe there are three major areas that IT and security executives need to communicate to their board. The company’s cybersecurity history with a focus on learning from the past, what is the current state of affairs and where IT and security executives would like to make changes to improve the organization’s overall cybersecurity risk posture.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

They should also continually come back to the boardroom and show what they are doing at that time relative to what was discussed and approved by the board in previous meetings. It’s equally as important to share with the board how their latest cybersecurity investments have reduced the organization’s overall risk. IT and security executives should explain what they were looking to do when they last spoke with the board, where they are now and where they think they will be moving forward. This kind of tracking enables the board to see a tangible cybersecurity risk reduction being made while they were steering the ship.

IT and security executives get limited time with the board. They should use that time to share the actual risks that could impact the organization and then get the board to help address those risks, and empower them to reduce them in the process.

The Chief Legal Officer or General Counsel should be the overseer of both parties. They play an important role in making sure IT and security executives are reporting information based on an automated, repeatable process and the board is holding them accountable for doing so. It is legal executives’ responsibility to do whatever they can to help the organization avoid litigation and that means getting involved, rolling up their sleeves and informing both parties what their responsibilities are in minimizing the organization’s cybersecurity risk.

They should share with the board what is expected of them including demanding that IT and security executives provide them with actionable information so that they can make informed decisions about the organization’s cybersecurity risk. On the other side, legal executives should make sure IT and security executives are aware that the information they are sharing with the board needs to be trustworthy and traceable. Legal executives can explain how both sides have a part in cybersecurity risk reduction and they can help bridge the gap in communication by making sure both parties understand their responsibilities.

BNA: http://bit.ly/1U5bCiV

« Who Is Winning The Cyber War?
Data Security Puts Innovation At Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

APWG

APWG

APWG is the international coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities.

NordForsk

NordForsk

NordForsk facilitates and provides funding for Nordic research cooperation and research infrastructure. Project areas include digitalisation and digital security.

Cyberwrite

Cyberwrite

Cyberwrite was founded to provide underwriters around the world a unique and innovative Cyber Underwriting platform.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

Prove & Run

Prove & Run

Prove & Run provides a patented software development toolchain that is specifically forged to deal with the complex security properties of sensitive software components.

Inky Technology Corp

Inky Technology Corp

Inky® Phish Fence is an email protection gateway that uses sophisticated AI, machine learning and computer vision algorithms to block deep sea phishing attacks that get through every other system.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Lepide

Lepide

LepideAuditor is a powerful Data Security Platform that enables you to reduce risk, prevent data breaches and prove regulatory compliance.

Zighra

Zighra

Zighra is a leading provider of On-Device AI solutions for continuous authentication and fraud detection on mobile and web applications.

Hallam-ICS

Hallam-ICS

Hallam-ICS designs MEP systems for facilities and plants, control and automation solutions, and ensures safety and regulatory compliance.

OpSec Security

OpSec Security

OpSec Online is the only brand protection solution that spans all channels so your brands are protected no matter what digital venue the criminals target.

Druva

Druva

Druva is the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10m guarantee.

Cybersecurity Dubai

Cybersecurity Dubai

Protect your business from cyber-attacks with Cybersecurity Dubai, your partner in online security solutions.

Prescott

Prescott

Prescott acts as your guiding light in the preparation for your CMMC assessment and long after by governing your cybersecurity practice.

Catalyst Campus For Technology & Innovation

Catalyst Campus For Technology & Innovation

Catalyst Campus is a collaborative ecosystem to create community, spark innovation and stimulate business growth.