CyberSaint Blog | Expert Thought

3 Board Questions CISOs Need To Ask Themselves

Written by Kyndall Elliott | April 15, 2021

A Chief Information Security Officer’s (CISO) life has become more complicated since COVID-19 pressed many businesses into digital transformation that weren’t quite ready to make the transition. Companies had no choice but to adapt; otherwise, they would lose out on revenue and growth. This meant CISOs had even more added to their scope in an already stressful environment.

Because of the forced transition, many companies take a compliance-centric approach to cybersecurity management instead of a proactive risk-first approach. By focusing on compliance only, organizations and business leaders leave themselves open to many risks and cyber-attacks.

According to Gartner, although interest in cyber security risk management has grown, only 37% of board respondents feel confident or very confident that their company is adequately secured against a cyberattack, compared to 42% in 2017. A slightly higher percentage (49%) is confident or very confident in the ability of management to address cyber risk. However, over one-fifth of directors (22%) expressed dissatisfaction with the quality of cyber-risk information provided to the board by management.

So, how can CISOs get the C-suite involved in taking a risk-based approach to cybersecurity? And stress the importance of investing in real-time monitoring to mitigate risk.

Here are three questions that CISOs should ask themselves when considering a risk-based approach to cybersecurity.

Identifying & Addressing Emerging Threats for Board Reporting

IT GRC legacy systems don’t offer modern enterprises enough insight into real-time risk. Most solutions are modular, impeding communication between data because the information is too siloed. We often discuss “glass-box" vs. black-box in cybersecurity when discussing the theory of transparent cyber risk quantification vs. shielded cyber risk quantification.

The fact is that while black-box solutions rely on proprietary methodologies and unvetted practices to deliver sources of risks, “glass-box” solutions empower security leaders to employ industry-leading, gold-standard methodologies and frameworks that can be easily explained to both technical and business-side stakeholders.

To identify emerging threats in real-time, organizations need this “glass-box” risk reporting to continuously monitor vulnerabilities in their systems. With manual control monitoring, many employees spend most of their time in front of spreadsheets, dedicating thousands of man-hours to complete assessments that could be outdated by the time they’re finished. This is not an effective or safe way to approach threats, and it leaves companies wide open for potential risks and sensitive data breaches.

The solution to this issue is simple: automation. Organizations can create a real-time cybersecurity risk management program that monitors risk by leveraging NLP-assisted AI.  When looking at software that can supplement current IT GRC tools, solutions that involve artificial intelligence (AI) or natural language processing (NLP) can save companies countless person-hours by utilizing automation to approach cybersecurity risk assessment. The CyberStrong platform offers Continuous Control Automation (CCA) so you can monitor risks proactively.

But how does this approach compare to other organizations in the cyber playing field? 

Addressing Key Board Concerns as the CISO

When companies benchmark against competitors, they must consider their maturity level regarding cyber risk. It’s no longer a question of “Are we secure?” as much as it is “How secure are we?” It’s impossible to eliminate risk completely, but managing it more securely and effectively is possible. 

The graph below illustrates the levels of cyber risk maturity to benchmark against competitors. Previous risk strategies may have singled out things like the number of data breaches or incident responses. However, this is a shortsighted view of the risk management process that puts all the blame on one person or facet of the organization, ignoring all the steps and decisions that got them there.

The goal is to get the company on board with a proactive risk management strategy instead of focusing on compliance. Communication about policy and procedure is vital, too. The C-suite and board must be on the same level as the CISO to effectively manage threats. Without that, transparency will create friction between different organization sectors, including the CISO and C-suite. Everyone must come to an understanding of the importance of increasing the company’s maturity scale. Gartner predicts that through 2024, more than 75% of prosecuted compliance violations will result from failure to coordinate compliance policies and implementation with security and risk managers.

Read more: Bridging the Gap: Mastering Cybersecurity Board Reporting

Cyber risk assessments and management need to go beyond checkboxes and spreadsheets. This sort of drastic reframing can’t happen overnight, but with intentional decision-making and a strategy in place, reaching a higher level of maturity is easily attainable.

Collaboration Between the CISO, Board, and C-suite 

Interest in cybersecurity and technology risk management is increasing at the board level, with 91% of organizational leaders responsible for cybersecurity and technology risk management reporting to the board at least once in 2018.

Despite this, portraying cyber risk in a business context has historically been challenging, resulting in conflicting goals with management and higher-level executives. The question often asked is why we allocate so many resources to a program that can’t quantify a return on security investment. 

Because cyber risk tends to be “invisible,” especially when CISOs are taking a risk-first approach, it can be difficult to demonstrate the importance and success of the investment. Yet, when these budgets are slashed, cybersecurity professionals have even more areas to oversee but not enough bandwidth to manage it all. However, CISOs can create a narrative that frames their approach using business-oriented language to get the C-suite on board with a cohesive story. Aligning business and IT objectives is paramount in this instance.

You show how your IT and security department involves many aspects of your operations and industry by presenting a tangible narrative for organizations to connect to and demonstrate what is influenced. This makes the work and effort the IT department puts in more “visible” and allows higher-level executives to easily view the value of the investment in the departments that manage risk and digital transformation initiatives. 

Knowing your audience is critical when crafting this narrative. Who are the individuals on the board, and what roles do they serve? How can cyber programs increase revenue or, alternatively, decrease revenue if there’s a breach? What risks does the company face by addressing compliance instead of a risk-first approach?

Read More: Informing Cyber Risk Management at the Board Level 

Considering these questions allows CISOs to create a story that resonates with the whole C-suite and allows business leaders to set themselves up for success.

Advancing Your Board Reporting Strategy

In the pressure of a post-pandemic world, CISOs that take a risk-first approach and actively try to increase their cyber risk maturity level will make their own lives easier and the rest of the enterprise. To learn more about a risk-based approach to securing assets, contact us.