CISOs Must Make Believers of Their Board Before a Breach OccursBoards today need more information about cybersecurity than ever before, but to be effective at risk reporting, CISOs are advised to provide a strong educational foundation first. By: Kevin Hanes
When people are provided information about a topic they are unfamiliar with—especially if it's unnerving—they tend to take a wait-and-see posture promoted by their skepticism that the information is true. However, when it comes to cybersecurity, an "I'll believe it when I see it" stance is not in the best interest of any organization. By then it's too late to manage the risk.
An Opportunity to Improve Receptivity
According to the Marsh-Microsoft Global Cyber Risk Perception Survey, February 2018:
53% of Chief Information Security Officers said they provide reports to board members on cyber investment initiatives. Yet only 18% of directors said they receive such information.
The growth in cyber-risk has necessitated that board members develop enough acumen to determine whether management is managing the risk appropriately relative to tolerance and strategy. But what's making that task difficult is a lack of comfort with the new and often complicated subject matter; a limited amount of time to learn more about cybersecurity; and the lack of a standardized framework for assessing the risks.
Too often, Chief Information Security Officers find that their first attempt at reporting to the board either devolves into a deep and frustrated scrutiny on a single metric, or, conversely, a lack of board engagement in the subject matter overall. A typical security response is to pad the report with yet more data in an attempt to prove out the risk. But unless the board has enough context to make that data relevant to "likely" business risks, the board's receptivity may get worse, not better.
Cybersecurity Education Can Improve Board Receptivity to Risk Reporting
What we often discover in our risk consulting engagements is a built-in assumption that the board is ready to receive the company's cybersecurity reporting in the same way that they are predisposed to receive financial reporting. In reality, hearing is one thing, but receiving is another. Board members may not be receiving your message on the right frequency until they have a foundational understanding in the following key areas:
- Who threat actors are and what motivates them
- Why your company can be a target, even if it is to use you to get to others (there is no immunity)
- How those threats translate to business risk for your organization
- And why total prevention of cyber-risk is a myth that must be debunked
If you ask someone without an IT background to describe cyber-risk for the first time, they may relate the scenario of a bad person doing bad things—akin to breaking and entering to burglarize a building. They may expect there to be a telltale sign that the burglar has been there, such as a room in disarray.
The truth about cybercrime is that you may not even know the threat actors have been there or are still in your network. Cyber criminals can use tactics to steal valid credentials and use them in a company-compliant way to access your network and move through your environment. It's not until they execute theft or damage that their presence is evident, and it's not unusual for that to be as long as 300 days after the adversary first gained access. Quite often the discovery is made by a third party such as business partners or law enforcement. Remember that context is important for board members to visualize a realistic scenario for cybercrime.
An annual educational briefing, or whenever new directors are on-boarded, is a perfect opportunity for you to educate them on cyber-risk and elevate their level of confidence that the organization is incident-ready.
Analogies also can help describe the asymmetry of cybersecurity risk. For example, a building can never be guaranteed as fireproof. Yes, it can meet compliance requirements of new building codes and be built with the most technologically advanced materials, but if someone enters the building with a fire accelerant and decides to use it, the building will most likely be set ablaze. Or another angle: You cannot stop a hurricane. If you are in its path, the best you can do is to prepare to survive its impact because of careful planning and precautions taken in advance.
Help Your Board Understand How Threats Operate and Why Everyone Is A Target
Once you get the board to understand the nature of cybersecurity risk, discussions about threat actor motivations and their techniques, tools, and procedures will be more productive. Many of our clients find that sharing an " anatomy" of a headline breach (in layman's terms) provides good context for discussing how other companies became victims, and what protections may have prevented the breach or minimized the impact.
Finally, it's essential to help the board dispel the myth that the organization is not a target. For example:
We work in an obscure part of the welding industry. No one will want to bother with us.
But will they want to bother with your customers? What customer data do you hold that would be appealing to a hacker? What about architectural diagrams? Or, do you have 3rd party access to your customers' systems that could provide a backdoor entry to a threat actor because of a vulnerability in your own system?
An environmental trigger, like regulatory pressure, may also help make cybersecurity concepts more relevant to business risk. For example, we hear from CISOs every day that their next desired state of maturity is to get more context about what their solutions are detecting – deeper analysis -- so they'll know enough about incidents to take the right action. But many have trouble explaining to board members why this next level of maturity is necessary. For CISOs of publicly traded companies, the SEC's recently issued interpretive guidance on cybersecurity disclosures may help reinforce the value of greater clarity about incidents. The SEC guidance asked public companies to be more accountable for information related to cybersecurity risks and incidents, and they're calling for greater clarity and more detailed information about when cyber incidents should be elevated to management for the purpose of avoiding insider trading conflicts.
CISOs of public companies can naturally expect a flurry of board inquiries about what policies and reporting metrics they have in place for elevating incidents, but I'd suggest it's also an opportunity to educate proactively about your roadmap to maturity. Highlight the limitations of "alerts" and discuss the value of investing in higher level analysis solutions (and partnerships) that give you enough context to not just identify a threat, but also know whether the incident is material to business risk, and what you should do about it.
As you spend more time educating the board and their knowledge of cybersecurity risk grows, they will begin to see that security is a process of continuous improvement, not a once-and-done program that simply needs ongoing maintenance. You will succeed in making them believers before a breach occurs and pave the way to better receptivity of risk reporting. Learn more about how to align cybersecurity reporting to the business in our CISOs Toolkit for Reporting to the Board.