Today’s CISO must learn the soft skills and business expertise to shake hands with the board and high five the C-suite. The CISO role has evolved from trumped-up security engineer to full-fledged business strategist. Here’s practical expert advice on how to talk the talk and walk the walk when communicating cybersecurity risk to the board.
Got one for you. A guy in a hoodie walks into a major financial institution’s executive board–like, literally walks into them–and grumbles, “Move it or lose it, I’m trying to protect you!” As they fall like bowling pins before his rush to the servers, he throws a heavy technical brief at them and shouts over his shoulder, “Threat data! You’re welcome!”
Dusting themselves off, the CEO explains to the board chairman, “Meet Bob. Our CISO.”
Rise of the CISO
Thankfully, this kind of joke is going out of style in the modern executive board’s age of cybersecurity enlightenment. Today’s organized cybercrime-as-a-service threat landscape, which recently paralyzed US oil distribution and food production with ransomware, has elevated cybersecurity from a perceived business blocker—a nerd-driven nuisance–to a core strategic function. McKinsey, Deloitte, PWC and every other analyst and consultant are echoing a new businesses mantra: Cybersecurity is a business strategy.
But despite a willingness to embrace information security and the CISO as business enablers and leaders, communication gaps have perpetuated old rifts. Executives are smart business leaders but not necessarily IT experts. Infosec leaders are smart security engineers who can fall into IT tunnel vision. This stereotype is changing a the CISO rises to the occasion and bridges the IT and business worlds with the right mindset, communication skills, and resources to steer growth-minded initiatives through perilous waters.
How to communicate risk to the board
The CISO must focus on translating security risk in business-friendly terms. Don’t bowl them over with impenetrable data sets, say experts. Rather, nurture understanding of risk as it pertains to the common goal of growing the business and continuing operations with the most protection possible.
Petri Kuivala, CISO of NXP and former CISO of Nokia, told us, “You have to know the business. A successful CISO understands the business and communicates threat data as cybersecurity trends to the board with the understanding of how the business works. Just because there’s a security risk with something, that doesn’t mean you just tell the CEO it can’t be done. As the CISO, I am a business enabler. it’s my job to explain the risk in a way that the board can make an informed business decision to put resources in the right places to lower risk while trying to make money.”
The board and the C-suite exist to advance the business. They must take calculated risks to grow revenue in a business landscape constantly disrupted by new players and transformative technologies. Meanwhile, advanced technologies and economic expansion of the cybercriminal underworld are making the threat landscape ever more apocalyptic–some reports project cybercrime will drain the global economy $10.5 trillion annually by 2025, up from $3 trillion USD in 2015. Executives are no longer blind to cybersecurity risk; they have seen the light.
This is especially true in financial services. The private equity industry, for instance, has gone bananas over cybersecurity, with new annual records of 116 buyouts in the space and 49 private equity growth investments, with a combined value of $19.2 billion, 92% higher than any other year other than an aberrant 2016.
Board to CISO: “We’re listening. Let’s speak the same language.”
“Cybersecurity has become a top concern for the boards of financial-services firms, and the level of concern seems to be growing day by day. With organizations seeking to create new digital customer experiences, applying sophisticated data analytics, and investing in a wealth of other technology innovations, cyberrisk management clearly requires governance at the highest levels. The advent of the COVID-19 crisis makes this challenge even more urgent.
There has been a remarkable shift in board awareness of cybersecurity in the past few years: for example, earlier McKinsey research, from 2017, suggested that only 25 percent of all companies gave their boards information-technology and security updates more than once a year. More frequent and consistent communication between board members and senior management on this topic now enables boards to understand the financial, operational, and technological implications of emerging cybersecurity threats for the business and to guide its direction accordingly.” –McKinsey, “Emerging challenges and solutions for the boards of financial services companies”
Short-term and long-term risk: 5 key takeaways
Business always contains risk. Be it disruption to supply chains by a global pandemic or underperformance at scale using new technologies or products, executive leadership must know, quite simply, whether potential benefits outweighs potential risks of doing something.
Petri said he communicates cybersecurity to the board at a high-level, focusing on short-term and long-term risk. For instance, Petri told his board that a cyberattack with a phishing hook (by far the most common breach tactic) could result in a 1-2-week shutdown of production, which would carry a cost of $500 million in lost revenue short-term. That same shutdown would then result in longer-term reputational damage, which could then result in shedding of customers. To mitigate that level of catastrophic risk, he suggested investing a few tens of thousands of dollars into phishing awareness tools and initiatives that raise employee threat reporting and awareness, and ultimately lower risk.
Meanwhile, long term, a company could lose its crown jewels. Vital IP developed over seven years and projected for $100M in product lifecycle revenue could be leaked to a black market buyer without the company even knowing it. IP theft is very sneaky because it might not ring alarm bells until it’s too late.
When the CISO goes to the board, he or she reports the security team’s work in high-level trends. Then, always with the focus being on the business, they communicate risk:
- What does the risk actually look like: what kind of breaches could happen?
- How much the new business system raises the risk
- Potential costs of a breach
- What can be done to mitigate that risk
- What mitigation costs
When meeting with the board, the CISO must remember who they’re talking to. The board will not absorb 50 slides in 20 minutes of minute details of attack vectors, stolen records, or data exfiltration. Their concern is what a breach costs the business, what it costs to fix it, and its likelihood of happening. The board wants to see numbers speaking to those concerns, and good CISOs will provide them.
Sharing pain and transferring risk
When the board taps the CISO’s expertise to understand the risk of doing something, the CISO should begin by putting away their security engineer hat. The business might accept a higher level of risk than a security engineer. So, put on your CISO hat and translate those risks into a cost-benefit analysis, which enables an informed decision.
- What is the value of doing this? If you’re considering launching a new product, or rolling out a new server, or system, or web interface, what is its business value?
- What is the risk or exposure triggered by doing this?
- If the you-know-what hits the fan, what will it cost to fix it and how long will it take to scrape off the walls?
Sometimes the risk will be objectively too high to support an endeavour. In a recent New CISO podcast, Dr. Eric Cole, a former CIA hacker and current CISO and cybersecurity thought leader, said that he has developed a risk threshold that is useful in such cases. Basically, so long as a unit is operating within their risk threshold, he accepts ownership of the security risk.
But should the operational risk exceed that threshold, he transfers that risk. At the next quarterly 20-minute presentation with the executive board (with whom he’s already built good faith as a business enabler), he devotes the last 5 minutes to formally transferring the security risk of a project onto the VP who owns it. This is done professionally and without drama; and at that point it’s up to the CEO to either accept the risk and greenlight the project with a risk transfer (which could implicitly include the CEO), or spike the project as too risky.
Dr. Cole said that he sees fewer and fewer risk transfers as VPs learn to accept his risk threshold as something more meaningful than a data nerd’s line in the sand. That’s what happens when the C-suite sides with the CISO—and the CEO is held accountable for data breaches by the board–more and more.
“We security people have tried to own too much pain,” said Dr. Cole in the podcast, where he also noted how the playbook often involves firing the CISO for a data breach, whether it was his fault or not. “But this outlines a way for shared pain; a more mature outcome for security.”