It makes sense that if a board knew what they wanted to hear about, they would simply let the CISO know. Unfortunately, however, they often don’t. This puts the CISO in an awkward position as to have to read the board’s collective mind and deliver what the CISO thinks the board wants to hear. Clearly, this is a problem, but it also is a potential opportunity to exert cybersecurity leadership and move the board in directions the CISO wants it to go.
Here’s how to do that.
Gather Input from Board Members
A good CISO will start by approaching individual board members and find out what they specifically want to ask and hear about cybersecurity risk. At the end of the day, the board doesn’t necessarily care about whether systems are secured, but how cybersecurity impacts proper functioning of an organization. They care whether cybersecurity, or the lack thereof, will impact company operations. They care about financial risk. They care about the organization remaining functional. Ideally, a smart board will want to see if cybersecurity can become a competitive advantage.
To that end, a CISO should perform the interviews for input. As a board may not know what they want to hear, it is useful to ask other executives what they believe the board may want to hear. They would also know how the board prefers to hear the risk as well. Even before a CISO starts with their preconceived notions, they need to start with a focus on satisfying the board by default.
Address Cyber Risk in Financial Terms
Assuming the CISO accounts for the board’s concerns, CISOs typically get about 15-20 minutes in front of the board. The topics covered can include anything, but there is a general format outside of specific board concerns:
- Overview of the cybersecurity program and risk exposure
- Incidents that happened since the last briefing
- Status of major programs being undertaken by the CISO
- Overview of the threat landscape and emerging issues, and what the CISO is doing to address the issues
- Requests of the board, such as help overcoming roadblocks with other departments, budget, etc.
It is best to address risk in specific financial terms. Risk should be considered in terms of both what there is potentially to lose, as well as what can be saved. Fundamentally, all cybersecurity programs should reduce risk and increase opportunity. For example, one can’t perform online transactions without embedded cybersecurity.
To that end, CISOs do first need to talk about the risk, meaning potential loss. They need to identify types of losses that can result from cybersecurity failures, which is really what boards are fundamentally concerned about. For this type of information, CISOs need to anticipate different types of losses and predict their potential value. Such losses include data breaches, system outages, insider theft, data loss, among other losses that are standard for a given industry.
Use an Effective Cyber Risk Quantification Tool
The next question is how to come up with the potential financial risk.
There is a plethora of cyber risk quantification (CRQ) tools available. There are also consulting services that will calculate this risk. The tools and services vary greatly in quality. The services have an issue in that they can be costly and take a long time to complete and are outdated before the final report is complete. With regard to the tools, they vary immensely in quality.
Because of this, the big question a board will want to ask is, “How were these numbers derived? How can I trust these numbers?” The answer is that with many tools, the stated risk is often not transparent or justifiable and with some tools, it is very clear and understandable for all parties. Ideally, a CISO should be able to walk through the data and see all of the details about the calculations. Without this, you are generally hoping that the board chooses to accept pretty graphics that sound reasonable.
Justify Funding with Return on Investment
The next issue that comes up is that when a CISO discusses their program and requests funding, it helps if they can justify their ongoing efforts with returns on investment and overall reduction of financial risk. For example, if a CISO can say, “With regard to this project, we are X% complete, and have so far reduced risk by $XX,XXX,XXX. We expect to continue according to the following schedule…” This is a powerful description of progress and value produced by the CISO.
At the same time, when a CISO wants to request additional budget or pursue additional activities, it again is best to frame it in financial terms. For example, “I want to implement a new technology that will reduce the threat from XXXX. The technology will cost $XXX,XXX and reduce our exposure by $XX,XXX,XXX.”
Essentially, a CISO is putting a business case together in terminology that the board is used to hearing.
Of course, not all boards are alike. Likewise, there are many incredible CISOs who likely present different information in different ways to their own boards. There isn’t necessarily a single right way to do it. However, when CISOs do present the cyber risk posture to boards, we at CYE have found that it is most effective to discuss plans in financial terms, including return on investment. It helps if the numbers are defensible and can stand up to any skeptics who assume cybersecurity professionals are always doomsayers.
How CYE Can Help
With CYE’s optimized cyber risk quantification platform, Hyver, you can:
- Determine the potential financial consequences of cyber risk in dollars and estimate the cost of mitigating those risks
- Assign the cost and likelihood of a breach to each business-critical asset
- Plan your cybersecurity budget and understand the financial impact of mitigation activities
Want to learn more about how CISOs can present cyber risk to the board? Download our guide.