For CISOs to gain the support of the board, they must first translate and report highly technical cybersecurity concerns and solutions into a language that can be understood by less technical businesspeople. The quality of this reporting becomes directly proportional to the degree of board support and the subsequent implementation of enterprise cybersecurity.
CyberSaint, a risk management company, has talked to CISO members of the Advanced Cyber Security Center (ACSC) about this problem. The purpose was to uncover the challenges, opportunities, and effectiveness of risk reporting in large enterprises.
The primary challenges for CISOs are threefold: the technical complexity of the issues concerned, making it difficult for non-technical businesspeople to understand; the lack of any standard reporting metrics, making it difficult to compare performance across business units within an organization and industry peers in other organizations; and the time, expertise, and cost of reporting, causing many CISOs to resort to simple spreadsheets.
The three primary priorities that business leaders seek to understand are the management of strategic risk; the organization’s alignment with compliance requirements; and how cybersecurity purchases affect top-of-mind threats (such as ransomware).
Most of the CISOs believe their boards want better reporting on these and other subjects, and the CISOs (almost 60%) are trying to improve their methods. But boards still complain they receive “overly-technical reports from management teams that fail to put governance in business and financial terms”.
Six ‘best practices’ emerge from the discussions with CISOs:
Tailor reports to the audience. “Boards and executive leadership typically require high-level overviews and key performance indicators, without diving deep into technical details,” says the report (PDF).
Focus on business outcomes. Reporting should focus on business outcomes, such as revenue, reputation, and customer trust. This should compare the outcome of doing nothing with the outcome of taking specific countermeasures.
Provide actionable information. This is related to the previous recommendation. “Actionable guidance should include effectiveness of current controls, emerging risks, and the potential impact of cyber threats in dollars,” says the report. That is, potential investments versus potential losses.
Use a standardized reporting framework. A standard format helps consistency and comparability across departments and stakeholders, and reduces the time and effort needed to prepare the reports.
Include risk scenarios. The ‘what-if’ illustration of potential threats and their potential impact helps businesspeople to contextualize the relative need for investment in specific mitigations.
Regularity. Reporting should be done regularly to ensure the board and executive leadership have accurate and timely information on the organization’s security posture. Noticeably, almost 80% of the CISOs reported their own frequency of reporting has increased over the past three to five years.
SecurityWeek talked to Padraic O’Reilly, co-founder and CPO at CyberSaint, for his take on the major takeaways from the report. “Things are slowly improving,” he said; “but historically there has always been a disconnect between cybersecurity and the board. CISOs still fall back on the technical. They can’t help themselves — that’s the world they live in. For their part, the board hasn’t been able to translate this technical jargon into the financial profit and loss world they inhabit.”
The change now is that both sides have been forced to recognize they are ‘on the hook’ for cybersecurity. Public companies are required to disclose material cybersecurity incidents within four business days, and are further required to include an annual report on the board’s oversight of cybersecurity risks. From the security angle, the prosecution of Uber’s then CISO Joe Sullivan for ‘misleading’ the board demonstrates that CISOs also have a legal liability for their actions. Such personal legal liability is only expected to increase over the next few years.
The problem remains, how can CISOs and boards bridge the lingering disconnect — and accurate and meaningful reporting is a major factor. Part of the solution, said O’Reilly, is the current push by CISOs to automate as much as possible. “It’s one of the shameful secrets of cyber,” he said: “the data is often too old to have any real value at the level of risk assessment.” Automating areas such as configuration checks on a daily basis means the CISO always has current data to report.
This approach can be extended by developing or buying a dashboard system. Ideally, key points would be displayed at upper levels, with the ability to drill down into greater granularity wherever and whenever required.
It would aid three of the six ‘best practices’: it provides a standardized reporting framework for all reporting; and it allows more frequent and regular up-to-date reporting. ‘What-if’ scenarios could also be part of a dashboard approach.
But it is still only part of the reporting problem. It provides data on the company’s current security posture, but it doesn’t automatically assist in future planning for solutions to newly emerging threats.
Clearly, there is much that CISOs can do to improve the quality of their board reporting, but just as clearly, it remains a serious problem.