History is repeating itself. It may surprise you to learn that before Sarbanes Oxley passed in 2002, having a director that was a financial expert in the American corporate boardroom was not the norm. In fact, CFOs who were originally thought of as financial gatekeepers are more than ever before held accountable for the integrity, accuracy and traceability of the financial information presented to the board.
The same transformation is happening today in the cyber world. Due to the endless onslaught of data breaches, combined with an increase in cyber regulation, more technologies being added to the work environment and more information to protect than ever before, the cybersecurity executive’s role is elevating. Whereas in the past CISOs and CSOs were mainly viewed as the technology experts, siloed from the rest of the business, today they are being held accountable to present traceable, understandable and actionable information to the board.
According to a survey conducted by Osterman Research, more than half of board members say IT and security executives will lose their jobs because of failing to provide them with useful, actionable information. Boards speak the language of risk and are holding security leaders accountable for doing the same, yet many security leaders are struggling to do so. The Osterman report also reveals more than half (54%)of board members agree or strongly agree that the data presented is too technical.
To bridge the communication gap and swim ahead of the changing tide, cybersecurity executives must shift to a risk-centric strategy. They should focus on the overall risk landscape making certain there is direct alignment with business imperatives, company strategy and the area most impacted (positively or negatively) by risk.
A good starting point is to define your risk. Cyber risk is a consequence of the alignment of threats and vulnerabilities against an asset of value. A threat without a vulnerability or a vulnerability without a threat, does not present a risk.
Security executives should identify their most valued assets, those that if compromised, would cause the most damage to the business. They should determine where those assets live as well as who governs and accesses them.
Next, they should uncover and mitigate threats and vulnerabilities that could lead to a compromise of those assets. However, here’s where many security teams hit a wall. So many threat alerts and vulnerabilities pour in each day, it’s tough to decipher which ones should be mitigated first. Some companies rely on their security tools to score and prioritize, yet, too often those tools lack additional business context such as the financial loss if a threat succeeded, if an unusual behavior was business justified, and the value of the asset at risk. When prioritizing threats and vulnerabilities to tackle first, all parts of the risk equation as well as this kind of additional business context must be considered.
Finally, measure, measure, measure. Boards base their investment decisions on measurable metrics. Thus, security executives should continuously measure the financial impact, in dollars and cents, of cyber risk based on cybersecurity telemetry in their environment and prioritize their actions based on those that reduce impact the most. They should also show their board how much risk was reduced due to their actions.
It’s time for cybersecurity executives to enter the new world. Boards do not want to hear how many firewalls were deployed or how many vulnerabilities were patched. They want to understand how much the company could potentially lose, what should be done and has been done to minimize that potential loss, and how much risk was reduced due to actions led by their security executives. If CISOs and CSOs shift to that risk-based approach, they will be viewed as boardroom staples, having a bigger voice in the overall decision making process and becoming even more valuable to the top leadership of the company.