It would be funny, if it were not so frustrating, that two individuals so intent on managing risk don’t understand one another. But that is the fundamental problem between business and security leaders. The gap is so huge that bridging it may seem nearly impossible. Yet, it can be done.

Here’s some much-needed illumination on why previous attempts to close the gap have resulted in bridges to nowhere—and how to fix that.

Understanding the C-level Perspective

“The fact that cybersecurity is a board issue is yesterday’s news,” said Nik Whitfield, CEO of Panaseer, a cybersecurity data analytics company. “While there is lots of data available, the puzzle that CISOs are trying to solve is how to bring this information together to show the board the picture they need to see.”

It’s like both sides are speaking a different language. The first step in effectively communicating with the CEO and board is to understand their risk language.

“As a CEO, my key concerns are growing the business and increasing shareholder value. As it relates to cybersecurity, I want a holistic picture, not a discussion of the latest technologies,” said Scott Kannry, CEO of cyber risk management company Axio.

Kannry noted his most valuable framework for understanding CISOs is to ask them to answer these four questions:

1. Do we know our risk and fully understand the dollars and cents involved? Have we taken a sampling of scenarios, put various operational and functional staff around a table and used their collective knowledge to estimate what each of a variety of events could cost?
2. Do we use a maturity-based cyber evaluation framework and align it with the scenarios quantified in the previous step?
3. Do we maintain the resources and financial ability to recover from a meaningful event? Do we have the right balance of financial reserves and insurance to pay for as much (or all) of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets and others? How do we understand how much insurance to buy? See Step 1.
4. Do we benchmark our organization against others, possibly a peer group?

In short, CEOs and board members are looking for the bigger picture in risk calculations.

According to The Cyber Balance Sheet survey of more than 80 board members, CISOs and subject matter experts, “Board members were five times as likely to cite ‘risk posture’ as a key security metric compared to CISOs. They are also 13 times as likely to say the same about ‘peer benchmarking’ – showing boardrooms’ greater concern for the big picture.”

That same report found that board members are inundated with security data and often just assume CISOs have things under control. Hence, they tend to “tune out” and simply expect the CISO to keep everything secured. So when something does go wrong, all fingers point to the CISO—an untenable situation, to say the least.

Speaking in Business Tongues

“When discussing cybersecurity risks with the CEO, or the C-suite in general, it’s critical to bridge the gap from purely technical to business terms,” said Brad Arkin, CSO at Adobe. “Remember that top executives have to prioritize many aspects of the business, including investor expectations, revenue and profit, brand equity, employees, etc., so it’s your job as the CISO/security expert to illuminate the business case for security in a broader business risk management context.”

Specifically, this means dumping technical metrics and scare tactics from the conversation. Instead, focus on calculating risks in terms of business impact.

“As far as how risk is determined, the key is not to think primarily in terms of technical metrics, such as unpatched OS vulnerabilities or average password strength, but in terms of business impact,” advised Nir Gaist, founder and CTO of Nyotron, a security products and services provider. “What is the probability that bad thing X could happen to us? What is the business consequence of X? What is a possible way to calculate the financial impact of that business consequence?”

Tips and Pitfalls

Here is a quick list of dos and don’ts from your peers to help you build a conversation framework that will truly connect your message with the powers-that-be:

• Speak to risk/reward appetites, not in absolutes. Businesses cannot survive, let alone prosper, if all risk is eradicated. “CISOs can fall into the trap of an engineering mindset that seeks technical perfection. This can undermine credibility and set up unfulfillable expectations. And it misses the central reality of business, which is that risk is essential to reward,” said Gaist.
• Understand how your company makes money, and speak to that. “Effectively translating technical risk into business risk terms means you have to understand how your company makes money. A web-based company selling to consumers is going to be far more sensitive to web-server vulnerabilities than will a B2B logistics firm,” said Kip Boyle, founder and CEO of Cyber Risk Opportunities, a risk management consultancy and service.
• Expect disbelief of your numbers, present them strategically. “Remember that no one believes the numbers on your deck right out of the box, and you’ll wind up in a debate over how good those numbers are. Instead, use numbers sparingly. If someone wants more numbers from you, let them ask for them,” said Gaist.
• Set up a business report rather than a security report. “CEOs and other C-levels all follow clear forecasting, tracking and reporting. The closer the CISO can align to this methodology, the more impactful they will be,” said Tom Pageler, chief risk officer and chief security officer at Neustar and  formerly chief risk officer at Docusign and deputy CISO/executive of global security and investigations director at JPMorgan Chase.
• Make the impact more personal. Whatever you are describing or pitching, bring the point closer to the audience’s personal domain. “For example, if the discussion is with the VP of Sales, describe sales forecast impact. If the discussion is with the CFO, discuss the exposure to lawsuits and other activities that will stem from a breach and cause additional monetary damages,” said Jason Sinchak, CTO of mobile security company Sentegrity and CISO of Emerging Defense, a cyber-security penetration testing and breach investigation consulting firm.

Now you’re all set. Go forth with confidence, speaking in business terms and with the understanding that there is no “us versus them”—there is only “we.”

Pam Baker

Source: https://securityboulevard.com/2017/12/cisos-can-successfully-talk-security-ceos/

Managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Yet, many executive committees are still ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks. What are the key questions executives, board members and audit committee members should ask themselves regarding how security risk is managed within their organization?

What do we see?

Over the past 10 years there has been a dramatic increase in the number of security incidents. To give just one example; in just 10 years (2006-2015), the US government saw a 1300% increase of cyber security incidents. 2016 and 2017 have only confirmed this trend with a staggering number of data breaches, ransomware attacks, phishing incidents, etc. Not surprisingly, security risk has claimed a top spot in the top business risks in many, if not all, industries. Company boards and executive committees can no longer ignore the fact that just one serious security incident could significantly impact the bottom line and future growth of their company, and potentially even cost them their jobs.

The good news is that managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Managing business risk, and even firefighting, is part of the job description, and planning to prevent the fires is what successful companies do. Hence, CEOs and other members of the C-suite should be well versed in dealing with risks, including security risks.

Yet, both the security incidents as research seem to indicate that many executives are not ready, nor set up to manage security risks:

• A recent report by F5 Networks found that although 65% CISOs say they report to senior executives, most often that reporting is limited to incident and crisis reporting. It also indicates that 35% is not even reporting on that.
• A 2016 reportfrom Nasdaq and Tanium states more than 90% of corporate executives say they can’t read a cyber security report and aren’t prepared to handle a major attack.
• Severe data breaches already cost the jobs of CEOs (e.g. Equifax and Target). However, it is more likely (though less reported) that the CISO takes the fall. After all, isn’t the CISO responsible and accountable for security? While this may seem a logical reasoning, it negates the fact that security is a shared responsibility across the company and that there are many times that the security requirements and the CISO are ignored. Additionally, I would like to quote a question of Wim Remes, Chairman of the Board of the International Information System Security Certification Consortium, or (ISC)²: “You don’t fire your general counsel when you get sued, so why would you fire your CISO when you get breached?” So, without looking into the individual cases, but just at the trend, blaming and even firing the CISO seems to be one other indication that there is still a major disconnect between the CISO and the CEO.

Basically, it comes down to this: when the CEO (and by extension the executive committee and the board) is ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks, then:

• Important decisions about security do not get made
• The CISO is not enabled, nor empowered to successfully help protect the company
• The company is not prepared for the many and ever increasing security risks it is facing

6 key questions executives should ask themselves

As C-level executive, board member or audit committee member there are a number of key questions you should ask yourself about the manner in which security risk is managed is in your company.

1. Does your CISO have both the organizational and positional power to escalate issues that they feel strongly about to the appropriate C-level or even board position?

Your CISO will not be successful unless he or she has the buy-in and engagement of the executives. Without this, your CISO will simply be perceived as a business blocker and his or her efforts circumvented. Your CISO needs to have the organizational power and position to effectively challenge business risk decisions that are not good for the company.

2. Are you a passive listener to what your CISO has to say or do you actively engage in the conversation? Are you demanding the latter also from the other execs?

An involved CEO meets regularly with the CISO, reviews reports, asks questions, and provides encouragement and support in front of the other executives and board.

3.  Do you know what your security policies are about, what their objectives are, and do you understand that they help to define the level of risk you are willing to take as a company.

As executive you must actively endorse and support the security policies, and not just passively agree to them as a mere formality. If you don’t bother or don’t believe in enforcing the security policies that were put in place to protect your company’s information (systems), if you don’t help to enforce the policies that you let down your company, your employees, your suppliers, your customers, …, then you probably deserve the security incidents that will inevitably occur.

4. Are you considering security as a responsibility and accountability that is shared across the company or are you attributing it completely to your CISO and his or her security team?

Controlling security can’t be relegated to one person or one team. It’s an enterprise risk and business problem, not just a CISO problem to resolve. It should not be the CISO making all the decision as to how much investment and what the right thing to do is. That actually needs to be in the hands of the Executive Committee. The CISO obviously plays a facilitating role and you can make a CISO responsible for particular security tasks, but a CISO can never be held accountable for security tasks and responsibilities of others. You should therefore –    with the help of your CISO – institute a security program that engages all different stakeholders in the company. Clear assignment of responsibilities is vital. Groups who are responsible for protecting crucial data, like IT, HR, procurement, and marketing, must become cyber-conscious and accountable too.

5.  Are your discussions on executive and board level driven by front page news and incidents?

As information security breaches continue to make the front pages, organizations need to ensure that headlines don’t drive the information security program. Ensure your CISO has regular interactions with executive leadership to create clear visibility into all areas of security risk, i.e. a structured form of risk reporting allowing you to manage security risks in a forward looking and business strategy-aligned manner.

6.Do you believe security problems can be solved by simply investing in the right security tools and solutions?

Incident driven security risk discussions tend to result in throwing money at the issue and investing in new security solutions.  However, and to quote Tim Holman, past president of the Information Systems Security Association in the UK (ISSA-UK): “The cyber threat cannot be solved by buying products. A common-sense approach of reducing the amount of sensitive data stored, booting out insecure suppliers, restricting access to information and getting cyber liability cover will often be ten times as effective and ten times cheaper than the next generation security appliance with flashing lights sold to you by expert salesmen. All these require support from the lines of business and the executives.”

Not sure where your company currently stands?

Did the previous questions make you realize it is time to talk to your CISO? Good, then here are some questions that you should ask him or her to trigger a critical discussion about the state of security risk within your company:

1. Do you understand our wider business strategy?
2. (How) have you aligned our security approach to our organizational strategy?
3. What are the biggest risks?
4. What are the gaps?
5. How are you evolving our security approach to match the changing risk landscape?
6. Are sufficient resources available, and are they being used wisely?
7. Are you being heard? If not where and why are people ignoring you?

Based on the answers you are getting, you will be able to see where the lines of communication between CISO and executives are obscured, where the CISO may not have been given the tools and resources in line with his or her responsibilities, and – most importantly – if and where you need to improve your understanding of security risk to the same degree as any other business risk.

Tim Wulgaert is a consultant, advisor, presenter and author in the field of information security and privacy. He has over 15 years of experience in developing, reviewing and improving information security strategies, policies, awareness campaigns, organizational design and other related security management topics. Currently, Tim is working on securitythisway.com; an initiative to build a security management content platform that aims to provide security and privacy professionals with hands on security policy, process, awareness and other related security management content.

Source: https://www.csoonline.com/article/3241466/governance/dear-ceo-are-you-enabling-your-ciso.html

Cybersecurity has traditionally been a subject only a few executives were expected to understand. However, as additional security concerns are spreading across businesses, cybersecurity now concerns all members of the C-Suite. For example:

• The chief financial officer needs to ensure secure transactions between financial institutions or business partners.
• The chief marketing officer needs to master how to securely leverage digital and social media without putting the organization at risk.
• The chief human resources officer needs to know that digital recruiting processes are secure and personal data won’t be compromised.

Cybersecurity concerns and capabilities for each managing function should be harmonized under companywide priorities and principles. This presents new opportunities for the Chief Information Security Officer (CISO). To get to this point, the organization needs to establish these key processes:

1.  The CISO needs to interact directly with all C-Suite members.
2.  The  C-Suite needs to agree on what the company wants to do from a holistic perspective.
3.  The CISO needs to facilitate these discussions.

To facilitate these critical conversations in the C-Suite, the CISO should be prepared to ask the following questions:

• What are the crown jewels we want to protect with the highest priority?
• What are the business consequences if those crown jewels are stolen?
• How much are we willing to invest to mitigate those risks?

Integrating cyber-resilience solutions

Across each organization, there can be many solutions to address cyber resilience. A technology solution could be managed-security services; a financial solution could be cyber insurance; an operational solution could be a Computer Security Response Team (CSIRT); a legal solution could be fiduciary actions based on the advice of attorneys.

The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company. Many companies have not defined and assigned a person to lead that effort. This is a new space in corporate business management—and a new opportunity for the CISO.

Conclusion

By taking on the cybersecurity leadership role in the C-Suite, a CISO can develop and drive a cybersecurity strategy that becomes a comprehensive and integrated package, rather than an aggregation of independent tactics. It can be owned by the entire C-Suite and woven into the companywide business strategy. This will help to reduce risk and improve cyber resilience.

Shinichi Yokohama

Source: https://www.securityroundtable.org/cybersecurity-leadership-role-sweet-spot-ciso/