Why Is Security Reporting Still Failing?

Accountability is now a major force in cybersecurity. We’ve seen the Securities and Exchange Commission (SEC) hold the SolarWinds CISO. Timothy Brown, to account, accusing him of overstating cybersecurity practices and failing to disclose known risks while Uber’s former CISO, Joe Sullivan, narrowly escaped going to jail for failing to disclose a breach. Stateside, the SEC introduced new incident reporting requirements with respect to timely disclosure last year and closer to home NIS2 will also introduce accountability requirements for corporate management in October which could see them fined and banned or discharged from executing a managerial function.

What this means is that the pressure to effectively communicate risk to the board has increased enormously yet it’s still an area that many struggle with.

From the CISO’s perspective, there’s a difficulty in communicating abstract concepts to a technically challenged board. According to the Voice of the CISO Report 2023, 62% believe cybersecurity expertise should be a board-level requirement to prevent this issue, revealing that technical knowledge is lacking in the board room. 

On the other side of the divide, a PWC Pulse Survey found only 32% of corporate directors say they are completely satisfied with the information they are given on cybersecurity, suggesting that the way information is imparted is impairing decision making.  Another recent survey found only 69% said they see eye-to-eye with their CISO and the Voice of the CISO report found only 51% of CISOs feel they have their board’s backing compared to 71% the year before.
 
Resolving this disconnect will not be easy. Nearly a quarter (24%) of all UK businesses do not feel confident communicating cyber risk to directors, trustees and senior managers according to the UK government’s Cyber security skills in the UK labour market 2023 report. Moreover, 35% said management don’t understand the staffing needs nor the cyber risks facing the organisation. And 40% do not think their senior leaders understand when cyber security breaches need to be reported externally or the steps needed to manage a breach. 

Failing to adequately communicate risk can negate any security gains and seriously undermine security initiatives and jeopardise budget.

But it also sees an over emphasis on statistical outcomes and how effective the business is at stopping attacks rather than the acceptance of risk and a focus on resilience. After all, attacks are inevitable and it’s how these are dealt with and their potential impact that matter. So, the problem for the CISO becomes one of educating the board and interpreting technical jargon all before they can get on to the nitty gritty of how risk is being assessed.

It's here that CISOs are making their biggest mistake and during which they will often lose their audience. The board will switch off when confronted by such intangibles as risk scores and matrices and vectors, even if those numbers are presented well. For them, it’s all about sustaining business as usual and preventing disruption. So, the most effective way to communicate cyber threats and mitigation is to focus on the risk to those business processes and the associated business impacts. Understanding the impact radius of a breach or attack can provide the context needed to then justify the need to refine processes and controls.

For example, instead of using a “Red/Amber/Green” (RAG) status or numbers to indicate a perceived risk, reporting should focus on the actual outcomes of a risk occurring and what this would mean to the business in practical terms – in essence the potential costs. This might be in the form of a loss of business, reputational damage, financial loss or non-compliance and punitive measures i.e. penalties. Such impacts are easier to relate to and if the risk is more easily quantified and understood then it is much more likely to secure the resources needed to control it, which is ultimately the CISO’s goal.

Measurements do of course have a place but being able to draw upon comparisons helps demonstrate progress made. An example here might be assessing the cyber maturity of the business which is typically evaluated against a risk framework such as the NIST CSF. It features six easily understood categories (identify, protect, detect, respond and recover alongside the overall theme of governance) and the framework itself aims to “provide a common language for communicating inside and outside the organisation about cybersecurity risks, capabilities, needs and expectations”. In the case of a maturity assessment, those six categories are rated on a sliding scale with recommendations for improvement to move the business forward in its journey towards cyber maturity.

Conducted on a regular basis, this type of easily intelligible information can then help evaluate current provisioning and guide future spend and investment.

The maturity assessment is just a single – albeit important – facet when it comes to reporting to the board. In addition, CISO’s usually routinely provide updates on changes to the risk landscape and how these are being prioritised, security incidents and projects and initiatives, provided on a quarterly, six monthly or annual basis. The RSAC Executive Security Action Forum (ESAF) delves into these other areas in more depth in its report, “What top CISOs include in updates to the board” and provides some interesting insights into ways in which information can be conveyed more meaningfully from using hypothetical scenarios to qualitative observations. 

Interestingly, how the CISOs in the report present their information is usually determined by their accountability to the board. So those that believe they should show progress over time were more likely to resort to metrics, those focused on delivering results resorted to a roadmap and those looking to manage and prioritise risk tended to use a risk framework. Of course, the emphasis towards greater accountability is likely to see them need to deliver on all three fronts.

If we go back to the Uber case, however, Sullivan says there are some clear lessons to be learnt. He has since gone on record as saying the company did as advised, observing the terms of its Directors and Officers (D&O) Insurance policy which is supposed to indemnify senior management against prosecution in such scenarios. As specified in the data breach policy, the legal and communications teams were called, and the CEO kept informed. Their mistake, he says, was that the company didn’t call in a third-party investigator to review how the breach was handled, ensuring true transparency.

It's a situation that no CISO wants to be in but when it does happen, those communication skills and being aligned with the board can make all the difference. It gets both on the same page, is more likely to lead to effective decision making and to help make the call when the time comes to bring in the specialists.

Phil Robinson is Principal Consultant at Prism Infosec

Image: Ideogram

You Might Also Read: 

Cyber Security Governance Is A Leadership Responsibility:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Helping CISOs Embrace Artificial Intelligence
Amazon Invests $2.75bn In AI Startup »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

Momentum

Momentum

The Cyber Security team at Momentum offers a professional and specialist recruitment service across Cyber & IT Security.

360 Total Security

360 Total Security

360 company is the largest provider of Internet and mobile security products in China.

LMG Security

LMG Security

LMG Security is a cybersecurity consulting, research and training firm.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Culinda

Culinda

Culinda secures medical IoT devices in hospitals with An Artificial Intelligence platform and security gateway.

Pentest People

Pentest People

Pentest People are a UK-based security consultancy focussing on bringing the benefits of Pentesting as a Service (PTaaS) to all its clients.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

Cirosec

Cirosec

Cirosec is a specialized company with a focus on information security. We carry out pentests & audits and advise our customers in the German-speaking countries on information and IT security issues.

SecureTech360

SecureTech360

SecureTech360 is a cybersecurity and IT consulting firm whose principals have extensive experience in Cybersecurity and Information Technology.

Redsquid

Redsquid

At Redsquid we are all about making a difference to our customers with the use of technology, as an innovative provider of solutions within IoT, Cyber security, ICT, Data Connectivity & Voice.

nsKnox

nsKnox

nsKnox is a fintech-security company, enabling corporations and banks to prevent fraud and ensure compliance in B2B Payments.

StrataCore

StrataCore

StrataCore is a single-source technology lifecycle advocate that works behind IT teams as a strategic partner to help them achieve peak enterprise outcomes.

BlueSteel Cybersecurity

BlueSteel Cybersecurity

BlueSteel is a compliance consulting firm that leverages deep system, data and application expertise to build sustainable cybersecurity solutions.

Alchemy Security Consulting

Alchemy Security Consulting

Alchemy Security Consulting specialise in offensive and defensive cyber security. We find the weak link in your security so you can patch it up fast and avoid being hacked.