Communications Breakdown: CISOs & Company Boards

Uploaded on 2016-03-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Bay Dynamics: The CISOs Ultimate Guide to Reporting to the Board

Bay Dynamics recently released a report that surveyed information technology and security officers about the types of cybersecurity activity they report to their board of directors. The report concluded that chief information security officers (CISO) and the board of directors don't adequately share cybersecurity threat information.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Bay Dynamics Chief Executive Officer Feris Rifai.

The Bay Dynamics report indicates that CISOs are confident on what cybersecurity threat information to present to the board and what type of information the board wants to hear. However, much of this information is either misunderstood or too technical. What can the CISOs do to streamline the process to provide more actionable information?

In order for the board to make decisions regarding an organization’s cybersecurity risk posture, they need quantitative information that is framed in the context of relevant business concerns.

The challenge for the modern CISO is to translate cybersecurity risk into a language that non-security practitioners can understand and use to drive decisions. The cybersecurity metrics shared may differ from one company to the next; but, ultimately you want to provide your board with highlights of significant risks to the business in an effort to help them achieve effective oversight and facilitate the right action that can help you reduce your company’s cybersecurity risk.

For example, as an IT and security executive, you may want to inform the board how you are currently protecting the company’s crown jewels (e.g. employee credentials, customer credit card information, health care records, trade secrets, etc.), and then describe how the risk to these crown jewels can be mitigated by making certain investments. Do this in plain English and without security-specific technical jargon. Quantify what’s at stake (the value at risk), what you are currently doing about it, and what else you can do to reduce your cybersecurity risk.

Another example could be discussing the kind of attacks you’re seeing on companies in your industry, such as compromised third party vendor credentials who have access to the company’s crown jewels, and then providing an assessment of the business impact of such an attack with an estimated dollar amount in loss of sales, reputational damage, liability, etc., and finally making a recommendation to the board as to managing that very risk. This in turn helps you and your board, justify an investment that may be much needed for you to prevent or drastically reduce the likelihood of such an event.

IT and security executives should also provide progress reports over time regarding how those decisions helped reduce the overall cybersecurity risk of the organization. This enables your board to see how their decisions directly impacted the cybersecurity risk posture of the organisation.

Ultimately, cybersecurity is a risk management problem. IT and security executives want to show the level of risk the organization faces today and that by taking certain actions the board can help reduce it. The board understands and speaks the language of risk. By speaking the board’s language, IT and security executives will be able to gain their support in helping them improve the organisation’s cybersecurity risk posture.

Cybersecurity reporting is dominated by manual methods—i.e. manually imported excel files. What are the pros and cons of a manual method? If a manual method is not a best practice is there technology that exists to automate the process?

Most enterprises have siloed IT and security systems and teams, and cobbling together board reporting manually by compiling spreadsheets that include subjective data massaging to make everything line up has significant downsides. Not only is it a major drain on resources and productivity, but it can also provide a false sense of security that hides serious deficiencies from both the IT/security executives and in turn the board.

Whether it is due to intentional manipulation or human error, it leads to incorrect reporting and oversight of important data. In the end, IT and security executives may wind up with outdated and/or partial data, or overlook critical data that the board needs to make informed decisions.

IT and security executives need a repeatable, automated and traceable process to reflect the organization’s true cybersecurity posture. There is technology that provides that. We call it “The Great Unifier.” User and entity behavior analytics combined with advanced situational awareness software unifies organisation’s security controls by collecting data from them and producing automated, accurate reports that reflect the organization’s cybersecurity risk posture.

The software adds a layer above an organisation’s security detection tools, providing a consistent view across data sets and enabling IT and security executives as well as the board to make good, informed decisions. The software helps organizations measure, communicate, and reduce their cybersecurity risk. It distills what’s happening in their environment down to providing information IT and security executives can serve to the right people at the right time for the right action.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

The frequency of cybersecurity threat information presented to the board is lacking, according to the report. How can CISOs and the board of directors balance an overload of information versus underreporting of cybersecurity threats?

IT and security executives should focus on addressing the board in a holistic manner. Obsessively reporting every cyber-metric possible is not the answer.

We believe there are three major areas that IT and security executives need to communicate to their board. The company’s cybersecurity history with a focus on learning from the past, what is the current state of affairs and where IT and security executives would like to make changes to improve the organization’s overall cybersecurity risk posture.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

They should also continually come back to the boardroom and show what they are doing at that time relative to what was discussed and approved by the board in previous meetings. It’s equally as important to share with the board how their latest cybersecurity investments have reduced the organization’s overall risk. IT and security executives should explain what they were looking to do when they last spoke with the board, where they are now and where they think they will be moving forward. This kind of tracking enables the board to see a tangible cybersecurity risk reduction being made while they were steering the ship.

IT and security executives get limited time with the board. They should use that time to share the actual risks that could impact the organization and then get the board to help address those risks, and empower them to reduce them in the process.

The Chief Legal Officer or General Counsel should be the overseer of both parties. They play an important role in making sure IT and security executives are reporting information based on an automated, repeatable process and the board is holding them accountable for doing so. It is legal executives’ responsibility to do whatever they can to help the organization avoid litigation and that means getting involved, rolling up their sleeves and informing both parties what their responsibilities are in minimizing the organization’s cybersecurity risk.

They should share with the board what is expected of them including demanding that IT and security executives provide them with actionable information so that they can make informed decisions about the organization’s cybersecurity risk. On the other side, legal executives should make sure IT and security executives are aware that the information they are sharing with the board needs to be trustworthy and traceable. Legal executives can explain how both sides have a part in cybersecurity risk reduction and they can help bridge the gap in communication by making sure both parties understand their responsibilities.

BNA: http://bit.ly/1U5bCiV

« Who Is Winning The Cyber War?
Data Security Puts Innovation At Risk »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CROW - University of Waikato

CROW - University of Waikato

CROW is the first cyber security lab established in a New Zealand educational institution at the University of Waikato.

Cyber Fusion Center - Maryville University

Cyber Fusion Center - Maryville University

Maryville University Cyber Fusion Center is a virtual lab for working on real-world cyber security challenges.

Mega

Mega

Mega is a secure cloud data storage provider with browser-based high-performance end-to-end encryption.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

Cyber Senate

Cyber Senate

Cyber Senate is dedicated to bringing Operators of Essential Services together with global subject matter experts to address the challenges of evolving cyber threats to critical infrastructure.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

Wipro

Wipro

Wipro Limited is a leading global information technology, consulting and business process services company.

HOBI International

HOBI International

HOBI International is a leading mobile, IT and data center asset management provider with solutions for device management, reverse logistics, data erasure, refurbishment and recycling.

Scout Ventures

Scout Ventures

Scout Ventures is an early stage venture capital firm that is making the world a better, safer place by cultivating standout frontier technologies.

Peraton

Peraton

Peraton provides innovative solutions for the most sensitive and critical programs in government today, developed and executed by scientists, engineers, and other experts.

Eureka Technology Partners

Eureka Technology Partners

Eureka Technology Partners are committed to helping you focus on your business by taking care of your IT infrastructure and data security needs.

Appalachia Technologies

Appalachia Technologies

Appalachia is a full service Managed Services Provider with a focus on cybersecurity, backed by the best engineers.

CCX Technologies

CCX Technologies

CCX Technologies design and develop a wide range of cybersecurity and testing solutions for the aviation, and military and government markets.

CryptoNext Security

CryptoNext Security

CryptoNext provides optimal end-to-end post-quantum cybersecurity remediation tools and solutions for IT/OT infrastructures & applications.

Karate Labs

Karate Labs

Karate is an open-source unified test automation platform combining API testing, API performance testing, API mocks & UI testing.

Contextal

Contextal

Contextal develops cutting-edge open-source cybersecurity solutions, designed to connect the dots and detect complex threats, which slip through the existing protections.