Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Communication is Broken Between CISOs and the Rest of the Business

In a recent survey of business communication by the well-known audit and consulting firm PwC, board directors were asked to rate the quality of presentations they receive from senior managers. CISOs ranked at the bottom of the list with just 19% of CISO presentations being rated as “excellent.”

In a recent survey of business communication by the well-known audit and consulting firm PwC, board directors were asked to rate the quality of presentations they receive from senior managers. CISOs ranked at the bottom of the list with just 19% of CISO presentations being rated as “excellent.”

Ask a CISO for a reaction, and you might get this: “The problem is the C-suite and the board just don’t understand technology.”  Continuing with, “I showed them the stats on our patching cadence, CVSS score and NIST CSF maturity rating and they just looked at me blankly.” 

Time was, the rest of the business might have bought into the idea IT security was unique among business functions, with processes, standards and language too technical to be understood by ordinary business folk.  Cybersecurity management is technical, the thinking went, therefore the results could only be expressed in technical language, too.  

That era came to a crashing end in the last few years when crippling malware and devastating data breaches made cyber risks a clear and present danger for the entire organization. Now, board members and senior management are likely to wave off CISO techno-speak and push to get their questions answered on their terms.  Questions like:  

CFO: “How much cyber risk do we have?  Are we spending too much or too little?”

Audit: “Did you fix the high priority issues?”

CIO: “Are we spending our cybersecurity budget on the right things?  What’s the ROI?” 

Board/CEO: “We don’t want to be the next news headline. Are we secure?” 

Advertisement. Scroll to continue reading.

Now, the tables have turned: It’s the CISO who faces a vocabulary test at every senior-level meeting. Forward-looking infosec leaders are realizing they need to align themselves with the way the rest of the business thinks or fall into irrelevance. 

Here’s some bottom line advice for any CISO looking to restart effective communication with the rest of the business: Follow the money. Understand that, if you’re not communicating about cyber risk in business terms, dollars and cents, you’re not communicating. 

That means a shift in how CISOs understand cybersecurity risk. Factor Analysis of Information Risk (FAIR), an international standard model for quantifying cyber risk in financial terms, provides a pragmatic way to approach the problem.  

According to FAIR, a risk always involves a “loss event” – in other words, the probability that some threat actor, e.g. a cyber criminal, uses some technique, e.g. use of stolen user credentials, that results an adverse effect, e.g. a data breach, causing a form of financial loss within a certain timeframe.  

So, a risk is not a vulnerability, ransomware, the cloud or Fancy Bear, but rather they might be factors that contribute to risk. 

It’s an exercise in critical thinking that clears away a lot of the mental brush for CISOs that mix up communication. With a focus on loss events, infosec leaders can start analysis of probable occurrence and probable impact of cybersecurity incidents, based on internal or industry data, and frame the conversation truly around risk, much as other business units can discuss market, financial, operational or enterprise risk. As in other risk management disciplines, cyber risk can be estimated as a range of probable financial outcomes, not “8 on a scale of 10” or “yellow but not as bad as red.” 

A CISO can start directly answering questions on how much cyber risk the organization faces, what risks are higher and lower priority, where spending on controls should be directed and, based on experience with the effectiveness of those controls, what’s an expected return on investment in terms of risk reduction. For that ultimate, senior management/board question, “Are we secure?” there’s a ready answer, “I can’t promise complete security, but I can give the organization the means to make an informed decision on what financial level of cyber risk we want to carry based on the level of investment.”  Guaranteed, there won’t be blank stares.

RelatedCyber Risk = Business Risk. Time for the Business-Aligned CISO

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...