The Right Conversations to Have with Your CISO

Cybersecurity is a relative newcomer to the enterprise risk party. Why? Because technology has slowly but surely emerged as a risk imperative across the enterprise. But the potential business damage from attacks, historically, has fallen more in the “annoying but survivable” category rather than the “existential threat” category, so cybersecurity has often not been a focal point of enterprise risk discussions.

That needs to change.

With the ever-increasing rise in the number of ransomware attacks, nation-states making attempts at intellectual property, and the proliferation of regulations that have real teeth (translation: the EU’s General Data Protection Regulation and its copycats abroad and across the 50 states), this calculus has changed. Just this month, the New York Times ran a well-received article about the complications of cyberattacks for companies that rely on insurance policies that just aren’t being covered. Why? Because the insurers are declaring the losses “acts of war.”

Cybersecurity today represents a business risk commensurate with, or even exceeding, traditional enterprise risks such as legal liability, financial compliance, and supply chain resilience. And cybersecurity has become central to organizations’ ability to take advantage of technology trends such as cloud computing, digital transformation, and operating the Internet of Things, because without well-planned security, these exciting trends simply open new doors for attackers to steal valuable data and disrupt operations.

For some organizations, bringing the chief information security officer (CISO) into the boardroom has been a clashing of two worlds, with CISOs speaking the technical language of cybersecurity and board members speaking the language of business. In recent years, there has been a melding of these two worlds out of necessity, as boards take a more acute interest in cybersecurity, and CISOs take a greater interest in becoming a more integral part of the business.

This environment creates an opportunity to finally bring cybersecurity into the enterprise risk fold where it belongs. Doing so, though, requires strong communications—and boards can take the lead in making sure that they and CISOs are on the same page by asking the right questions of one another at the right time.

What to Ask Your CISO

Board members need clarity on top risks and corrective actions to protect business operations and the bottom line. Because CISOs often come from a more technical world, they often think about risks in the context of their daily cybersecurity activities: intrusion detection, forensic analysis, penetration testing and so on. Then again, any CISO worth his or her salt will strive to understand and think in the context of the business and all of the enterprises’ security needs.

To avoid getting mired in the technical weeds, it is a good idea to have some basic, high-level questions ready to ask your CISO at your next board meeting, such as:

• What are our greatest cybersecurity risks, why are they considered our greatest risks, and what are we doing to manage them?
• Do we understand who our likely adversaries are and what they are most likely to attack?
• Who have our adversaries been in the past, and have they continued to target us?
• What are our breach detection and response capabilities? Are we practicing what to do in the event of a breach or security incident?
• Which regulations are important to us with regard to cybersecurity, and where do we stand with compliance?
• What are our biggest cybersecurity gaps and what are we doing to mitigate them?
• Are we spending more or less than our industry peers?
• What steps are being taken to integrate cybersecurity risk into our enterprise risk program?

CISOs should also be required to report on a set of metrics, so boards can get an “at a glance” update on the state of cybersecurity in the organization. The tough question is: What are the right metrics?

Security teams tend to develop metrics around team productivity, security issues resolved, and other tactical points, but these types of metrics are often not strategic enough to be useful to board members who are looking to track trends over time and align to business impacts. The board should encourage CISOs to develop metrics around “big picture items,” such as:

• Compliance. Where are we with managing deficiencies in meeting cybersecurity obligations required to meet compliance?
• Security disruption. How much downtime did critical systems experience due to security incidents?
• Business cyber-risk trends. How has cybersecurity risk increased or decreased by division?
• Business alignment. Number of corporate projects delayed or accelerated by cybersecurity along with associated cost added (for delays) or cost savings (for acceleration).

These are just a few examples of the potential metrics that could be developed for a security program. The important thing is to have metrics that map to business performance and risk rather than the nuts and bolts of running a security operation. The board’s role is to oversee the risk mitigation of the security team for the enterprise—not to be part of the security team itself. Ideally, boards would collaborate with CISOs on developing these metrics because this is the only way for the CISO to know exactly what information the board would find useful.

Guidance from organizations such as NACD and the Securities and Exchange Commission is available to help boards and security teams adopt effective, collaborative business language. Creating this kind of common language is critical as cybersecurity moves out of the shadows and under the spotlight of enterprise risk.

Bryan Wiese is Division Vice President and General Manager, Global Advisory Services, at Optiv. To dive deeper into aligning cybersecurity and business risk, visit www.optiv.com.