With high-profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front-row seat to the impact cybersecurity can have on an organization’s bottom line. CEOs and Boards of Directors are growing increasingly concerned about the risk that poor security programs pose to the enterprise in general. CISOs must deliver effective reporting to senior leadership, but business-side leadership needs to know what to ask from security teams. CEOs and Boards should aim to bridge the gap between business and cybersecurity by establishing a governance structure that runs cybersecurity as a business function.
The greatest challenge to business-side leaders is understanding how this new configuration of cyber threats fits into the existing risk profile of the enterprise. CEOs and board members are incredibly adept at managing other forms of risk, yet information security management appears to be a whole different challenge.
According to the Gartner 2020 Board of Directors Survey, the second-highest source of risk is cybersecurity risk. And by 2025, 40% of boards will have a committee dedicated to overseeing cybersecurity. Board members count on CEOs and CISOs to provide insights into how cybersecurity will extend and improve overall business performance. Security and risk is a top-of-mind challenge for board members, and cyber aligned with business objectives is necessary for incorporating cyber risk into the overall risk profile.
As CEOs begin to engage with their information security leaders more, they need to make sure they’re asking for the right information to ensure success for both parties. Just as a CFO can produce financial risk models to empower decision-making, so too can CISOs develop risk assessments and risk models that do the same. The biggest thing that business leaders need to emphasize in this conversation is ensuring that their CISOs employ the right risk modeling frameworks to be of value to both technical and non-technical stakeholders. In discussions with technical and non-technical stakeholders, CISOs need to use the right risk modeling frameworks to provide valuable insights. There are multiple cyber risk frameworks out there, but any framework is only as good as the security strategy it helps develop.
There are many tools and resources for quantification - after assessing your security objectives, you can pinpoint methods that deliver effectively for your organization. Using the right risk quantification methods can enhance risk modeling and assessment reports. Your risk quantification method needs to convey risks associated with your cyber strategy for CEOs and board members to make well-informed decisions about moving forward with cyber investments, risk compliance, and management plans.
CEOs cannot be unaware of the security risks inherent to business growth. A business at odds with its cybersecurity will stagnate. One of the most popular frameworks, the NIST SP 300-30, or the NIST Risk Management Framework (RMF), enables users to view an organization's threats through a risk-based lens. While the NIST RMF does not directly quantify the probability of risk exposure, it is an option for organizations in the process of maturing their cybersecurity posture.
More mature companies can utilize the FAIR model, which quantifies the loss event frequency and loss magnitude in financial terms. The degree of impact and type of identified risk is assigned a dollar value and explained as the potential financial loss due to exposure. With this method, CEOs can clearly understand the existing types of risk and their impact. These clear insights will help CEOs and CISOs track security controls, frame cyber as an integral business function and accept a certain degree of risk for business growth.
In today’s world, breaches and incidents are a matter of when and not if. Whether looking at Kaseya or Colonial, the world turns to the CEO when these incidents occur and expect answers. Traditionally cybersecurity programs have been secluded and misunderstood by business leaders. Siloing cyber and information systems without engagement from senior and business-side management has a greater negative impact when a breach does occur. In varying degrees, cyber risk oversight must be rolled up to the CEO and the Board with the more technical CISO guiding a cybersecurity strategy that empowers business growth.
Cyber and business are interconnected. Neither aspect should impede the other. Instead, cyber risk management is a key business facet that extends growth and ensures seamless business operations. Without insightful risk management, leaders are unaware of the risks they can take for growth and the threats to avoid.
CEOs and senior-level business leaders need to be aware of their organization’s cybersecurity program and have a high-level sense of the organization’s effectiveness. Integrated with the CyberStrong platform, the FAIR model coupled with a maintained risk register gives leaders an enhanced view of risk. Quantitative insights will give CEOs the confidence to report to the boardroom with accurate insights and informed action methods in a crisis.
To provide further context to risk quantification findings, CyberStrong provides numerous Executive Risk Reports, including an Assessment Summary Report, Optimization Report, and a Standard Risk Report, to enhance discussions around risk management with up-to-date mitigation information.
The greatest risk facing many business leaders today lies in cybersecurity - as all organizations are faced with embracing new technologies to survive the digital era. CEOs can no longer be cyber unaware. CEOs and other senior leaders are nine times more likely to be targeted in social cyber-attacks. Executive business leaders need to be cyber aware not only in the event of a breach but because they are a highly targeted point of entry for a breach or worse.
Cybersecurity governance starts from the top-down. CEOs need to know the nuances of risk and implications of a compromised cybersecurity program. How can a company claim a risk-first and risk-aware culture if its chief officers cannot speak on security and risk? A shift to risk awareness starts from the top. As board leaders begin to see cyber as a top-of-mind challenge - CEOs will need to collaborate with their security team to encourage conversation around security and risk in the boardroom.
The first step is engaging with information security leaders within your organization - start with the risks that can impact you specifically (phishing, for example), and expand your knowledge further. In tandem, collaborate with your CISO to ensure that the cyber risk metrics they deliver fit into your existing risk structures for other facets of the enterprise - they want to deliver value as much as you want the information. In all, ensure that your organization is performing and secure while also knowing how to measure those success metrics.