For a long time, security was an additional duty assigned to the IT department. Today it’s a distinct discipline, a top business priority, and perhaps even a competitive edge.
About one-third of business executives (34%) see security as “a driver of competitive advantage or differentiation,” according to a study – The Modern, Connected CISO (PDF) – presented by research firm IDC and consulting firm Capgemini. Nearly half of respondents (46%) say security is “vital to the competitiveness” of a company’s products or services.
This elevated visibility has increasingly placed the CISO in traditionally less familiar territory: the board room. In fact, more than 60% of CISOs surveyed reported attending important board or executive-level meetings. Clearly, communicating with the board has become an essential skill.
Yet essential doesn’t mean it’s easy. As Rebecca Wynn, head of information security and data protection for Matrix Medical Network, put it in an interview for our Q&A series, “How do you measure the ROI of a potential loss to the company?”
It’s a challenge with which even the most seasoned security leaders are wresting. However, there is a growing body of research and best practices aimed at answering that question. We recently sifted through some it and uncovered these actionable tips security leaders can put into practice.
1) Align with risk appetite and business priorities
Board members tend to be a business-savvy but less-technical audience. The board views cybersecurity as a business imperative that “should align with risk appetite and business priorities.”
The best way to align is to look at things from their perspective, according to research by Kudelski Security. To that end, engagement is the first step to understanding the board’s frame of reference and information needs:
“CISOs need to engage in meaningful conversations with board members and be accepted as equal partners in executive business leadership rather than compliance chasers, technology spenders, and/or one-way cost centers.”
Read more: Cyber Board Communication and Metrics
2) Finding the essence of what a board wants
Cybersecurity has evolved to where the “risks and associated costs now fall squarely within the fiduciary responsibilities of a company’s board of directors,” according to a white paper published by RSA’s Security for Business Innovation Council. But in order to execute on those responsibilities, what exactly does a board want to know?
The board wants to know it’s security leadership has identified your business’ most critical assets and “you have a plan of action” for “protecting those assets,” says Timothy McKnight who has held senior security leadership roles for GE, Thompson Reuters and, presently, SAP. Just as importantly he added, is knowing the security organization is “executing against that plan to manage risks to the company.”
3) Choose metrics that build trust
CISOs tend to show technical or operational metrics that can be hard for board members to understand and relate to, according to John Hellickson of Kudelski Security. In an interview with SearchCIO, he says that can actually reduce the trust a board has in its security leadership.
What metrics should CISOs include?
Mr. Hellickson pointed to quantitative metrics including:
- Dwell time;
- New vulnerabilities discovered vs. remediated;
- Patch management;
- Number of incidents and vulnerabilities;
- Number on non-remediated risks;
And more qualitative measures such as:
- Results of initiatives to reduce risk;
- Actions to improve the security posture;
- Security integration with application development; and
- Risk the company has accepted in accordance with its tolerance.
4) Present a business problem with probability and impact
Risk management has two fundamental factors – the probability of an event occurring and the severity of impact if it occurs. From that perspective cybersecurity mirrors every other challenge in business, according to Jason Witty, the CISO for JPMorgan Chase as cited by SecureWorldExpo:
“You have to present it [cybersecurity] as a business problem and then that will help you get the funding you need, the staffing you need, the speed to close down that risk, and the support to have that speed.”
And later, he added:
“It’s just like any other business risk. ‘Here’s the probability of this risk happening, here’s the impact if it did.’ Context and implications are the two most important words.”
5) Give the board a framework for understanding
Frank Kim of ThinkSec advocated for placing metrics in the NIST framework during a presentation he gave at an RSA conference. Within that framework he suggests describing for each of the five functions of security (identify, protect, detect, respond, recover) the following:
a) the state of the capability using a stoplight model (red, yellow, green);
b) the trend – an arrow indicating whether it’s trending up, flat or down; and
c) a few bullet points with some highlights for discussion.
The format doesn’t just provide metrics, but also a way for board members to evaluate those metrics based on an industry standard. See page 21 of his presentation (opens in PDF) for a visual example.
6) Develop a story about the value of security
Research and advisory firm Gartner, Inc., suggests developing a “value story” in an eBook the company published. If a business is worried about cybersecurity, then the story you tell a board should focus on how you are securing those assets. For example, metrics you might include on a scorecard would center around the following:
- “Value loss prevented by incident mitigation”;
- “Number of advanced persistent threats per month prevented”; and
- “Percentage of systems compliant with security standards.”
The eBook is careful to emphasize informing rather than educating:
“Remember, this is an advisory presentation without specific proposals for investments or projects. You’re presenting a framework for thinking.”
Should you take a position? Yes, according to the firm:
“Boards want to know all the options, but they’ll also want to know your opinion on which option makes the most sense moving forward. Take the opportunity to demonstrate business acumen and add value to the decision.”
7) Telling a good story
If you list a bunch of statistics or tell a good story, which one will the board remember? It’s probably the latter and that’s the premise behind the communication strategy employed by a savvy security leader – as relayed by FierceHealthcare:
“One security leader from a life sciences organization said he and his team typically prepare for board meetings by building stories around a few recent cyber incidents in the organization. The key, he said, is to describe the incident and make sure to explain the impact it had (or could have had) on the business. Connecting specific incidents with specific business functions can help organization leaders make better decisions around addressing risks and managing processes, according to the report.”
It’s worth pointing out that storytelling and statistics aren’t mutually exclusive – they may work better when they work together.
Read more: Tech CISOs need to unleash the power of storytelling to make cybersecurity real to boards, leadership by Heather Landi and also Communicating the value of cybersecurity to boards and leadership by Casey Korba and Amry Junaideen.
8) Limit your messages
Part of the role of the CISO is to distill a mountain of data down to just the most essential information a board needs to know. A CISO has on average, about 15 minutes to do it. In his assessment, that’s only enough time to get three big ideas across, according to Killian Faughnan, the Group CISO, at William Hill told CSO Online.
He came to this conclusion when he noticed his presentations to the board were overwhelming members:
“I had too many charts and too many graphs, and I was putting too much information in there, and I could just see they were glazing over when I was telling them about all the important things I was doing.”
His observation led to this realization:
“The hardest thing for me was getting used to the idea that I’m there to give the board what they want, not what I want them to want. They’re quite different things.”
What they want is a metric that “says we’re doing well or we’re doing not well. That’s it,” he said.
* * *
What tips or resources would you add? Tweet us up @BricataInc.
If you enjoyed this post, you might also like:
What the Top 25% of Cybersecurity Pros do Differently in Strategy, Risk and Communication