CyberSaint Blog | Expert Thought

Critical Objectives for CISOs: Cybersecurity in the Boardroom

Written by Maahnoor Siddiqui | December 14, 2021

The need to communicate cybersecurity as a business function has always been prevalent, but now we see an increased board-level cyber involvement. Cybersecurity governance and risk have become a top-of-mind issue for C-suite executives and board leaders. With an evolving threat landscape and increased volume of data breaches, we see the bottom-line impact of fragmented and static data protection and cybersecurity risk management. 

Communicating an organization’s cyber posture is no longer simply securing more budget. With security breaches like JBS and Kaseya, information technology, cybersecurity, and risk directly impact bottom lines and stock prices as any other business function within the organization. As information security professionals and leaders, Chief Information Security Officers (CISOs) must articulate how they manage cybersecurity and the cybersecurity strategy's impact on the business.

What do CISOs care about? The CISO role has often been misunderstood by business-side teams and used as a scapegoat for security lapses. However, cybersecurity teams adopt many frameworks developed for business-side leaders. Regarded as the gold-standard framework, the NIST CSF was written to be utilized by business- and technical-side leaders. With the elevation of cybersecurity to a Board- and CEO-level concern, CISOs must employ frameworks and tools like the FAIR model to bridge the gap and foster an enterprise-wide conversation around security and risk.

Reporting on cybersecurity to the Board is a key pillar of success for cyber operations and the business. As SEC reporting requirements take shape, executive leaders must understand cyber investment's value and actively participate in cyber risk management. 

The Needs of the Modern CISO 

A CISO is responsible for many things in an enterprise. They are in charge of establishing security and governance practices, enabling a framework for risk-free business operations, and reporting cybersecurity to the Board of Directors. To be successful, the CISO needs to communicate effectively with the Board to ensure a proper understanding of information systems, the importance of risk management, and the necessary investment for cyber maturity.  

There are three primary needs of the modern CISO: a proactive cyber risk management strategy and continuous compliance approach, "glass-box" tools like the FAIR risk assessment methodology for transparent insights, and standardized executive reporting.

 

Continuous Compliance and Integrated Cyber Risk Management

There aren’t many tools available in the market that empower organizations to integrate their cybersecurity approach or support continuous compliance. The half-life of assessment data is incredibly short - which is to say that the value of an assessment is only valuable as a snapshot of the organization at that point. With the rapid pace of innovation and technology adoption at any enterprise, annual (or, at best quarterly) assessments do not accurately represent an organization’s cybersecurity posture at the time of reporting. The result is that decisions are made at the executive level using antiquated data, resulting in a lack of awareness and, worse, a lapse in security controls. Security leaders must employ a continuous compliance approach and, as a result, shift the tools their security organization uses. 

Not only are continuous assessments necessary, but organizations still pouring over spreadsheets are also at an inherent disadvantage. Spreadsheets are clunky and time-consuming, they lack transparency, and the organization needs to track risks, controls, and remediation activity. Compliance is most likely invalid by the time you’ve reached the end of assessing your spreadsheets. 

The other cornerstone of a modern security program is an integrated approach to risk and compliance. Too often see organizations using modular GRC tools that incentivize security organizations to stay siloed by design. Integrated cyber risk management reconfigures the GRC approach using a risk-aware culture and enabling technologies that improve decision-making and performance. 

For an organization to see relevant metrics that empower decision-making, it must use platforms that integrate all risk and compliance data so that leaders can see and understand the enterprise’s cybersecurity posture with the most up-to-date data possible. 

Transparent Cyber Risk Quantification

When reporting to the Board- and C-level executives, security and risk leaders must start from a high level and be able to justify and explain the workings of their program. We are seeing in the market today an increasing number of black-box cyber risk quantification tools that provide little to no insight into how these tools reach such metrics. Quantification methods that give ratings based on an ordinal level provide no actionable insights based on the results. Unclear quantification could prove catastrophic in a Board-level discussion if the person in the room positioned as the expert cannot explain a core aspect of their program. 

CyberSaint promotes using “glass-box” solutions like the open-source NIST 800-30 risk assessment methodology, which is easily explainable to the Board and C-suite. The FAIR risk quantification model provides meaningful measurements in a dollar value. By assigning a financial value to security and risk and framed as a business objective, CISOs and Board executives can make informed decisions regarding information security and risk. 

Unlike other cyber risk quantification models, FAIR breaks down measured risk by identifying the components and the relative impact. Data is divided into two quantifiable categories; loss event frequency and loss magnitude. Based on these categories, the degree of impact and type of identified risk can be assigned a dollar value and then explained as potential financial loss due to exposure. Not only does FAIR advantage communication in the boardroom, but this quantification method also improves risk communication across an entire organization. 

Automating and Reporting

The assessment process is only as valuable as the data your organization can report on and, in doing so, enables business-side decision-making and bridge boardroom results. Spreadsheets add an unnecessary tax on your cyber organization. For most teams, the greatest need for automation lies in post-assessment reporting. The lag between completing an assessment and delivering the report further outdated assessment data - the value of an assessment is only as good as a singular snapshot in time. Automating reports allows security organizations to produce up-to-date reports that spreadsheets and modular tools simply cannot.

Download our Board Reporting Template to ace your Board-level cybersecurity report. 

Meeting The Needs of The Modern CISO 

With the elevation of the CISO into more senior-level management discussions, the solutions they employ for their organization become all the more critical. Employing an integrated cyber risk management approach empowers leaders and practitioners alike to understand enterprise-wide cybersecurity posture better. Using glass-box methodologies that produce easily explained metrics will help support Board-level discussions with actionable insights and frame cyber and risk as a vital business unit. Finally, using an integrated risk-first approach allows for greater automation at the post-assessment reporting level and helps CISOs consistently report and empower significant decision-making.

Contact us to learn more about CyberStrong’s integrated cyber risk management approach and how our all-in-one solution supports CISO efforts towards a mature cybersecurity posture.