Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Communication is Broken Between CISOs and the Rest of the Business

In a recent survey of business communication by the well-known audit and consulting firm PwC, board directors were asked to rate the quality of presentations they receive from senior managers. CISOs ranked at the bottom of the list with just 19% of CISO presentations being rated as “excellent.”

In a recent survey of business communication by the well-known audit and consulting firm PwC, board directors were asked to rate the quality of presentations they receive from senior managers. CISOs ranked at the bottom of the list with just 19% of CISO presentations being rated as “excellent.”

Ask a CISO for a reaction, and you might get this: “The problem is the C-suite and the board just don’t understand technology.”  Continuing with, “I showed them the stats on our patching cadence, CVSS score and NIST CSF maturity rating and they just looked at me blankly.” 

Time was, the rest of the business might have bought into the idea IT security was unique among business functions, with processes, standards and language too technical to be understood by ordinary business folk.  Cybersecurity management is technical, the thinking went, therefore the results could only be expressed in technical language, too.  

That era came to a crashing end in the last few years when crippling malware and devastating data breaches made cyber risks a clear and present danger for the entire organization. Now, board members and senior management are likely to wave off CISO techno-speak and push to get their questions answered on their terms.  Questions like:  

CFO: “How much cyber risk do we have?  Are we spending too much or too little?”

Audit: “Did you fix the high priority issues?”

CIO: “Are we spending our cybersecurity budget on the right things?  What’s the ROI?” 

Board/CEO: “We don’t want to be the next news headline. Are we secure?” 

Now, the tables have turned: It’s the CISO who faces a vocabulary test at every senior-level meeting. Forward-looking infosec leaders are realizing they need to align themselves with the way the rest of the business thinks or fall into irrelevance. 

Here’s some bottom line advice for any CISO looking to restart effective communication with the rest of the business: Follow the money. Understand that, if you’re not communicating about cyber risk in business terms, dollars and cents, you’re not communicating. 

That means a shift in how CISOs understand cybersecurity risk. Factor Analysis of Information Risk (FAIR), an international standard model for quantifying cyber risk in financial terms, provides a pragmatic way to approach the problem.  

According to FAIR, a risk always involves a “loss event” – in other words, the probability that some threat actor, e.g. a cyber criminal, uses some technique, e.g. use of stolen user credentials, that results an adverse effect, e.g. a data breach, causing a form of financial loss within a certain timeframe.  

So, a risk is not a vulnerability, ransomware, the cloud or Fancy Bear, but rather they might be factors that contribute to risk. 

It’s an exercise in critical thinking that clears away a lot of the mental brush for CISOs that mix up communication. With a focus on loss events, infosec leaders can start analysis of probable occurrence and probable impact of cybersecurity incidents, based on internal or industry data, and frame the conversation truly around risk, much as other business units can discuss market, financial, operational or enterprise risk. As in other risk management disciplines, cyber risk can be estimated as a range of probable financial outcomes, not “8 on a scale of 10” or “yellow but not as bad as red.” 

A CISO can start directly answering questions on how much cyber risk the organization faces, what risks are higher and lower priority, where spending on controls should be directed and, based on experience with the effectiveness of those controls, what’s an expected return on investment in terms of risk reduction. For that ultimate, senior management/board question, “Are we secure?” there’s a ready answer, “I can’t promise complete security, but I can give the organization the means to make an informed decision on what financial level of cyber risk we want to carry based on the level of investment.”  Guaranteed, there won’t be blank stares.

RelatedCyber Risk = Business Risk. Time for the Business-Aligned CISO

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...