In a recent survey of business communication by the well-known audit and consulting firm PwC, board directors were asked to rate the quality of presentations they receive from senior managers. CISOs ranked at the bottom of the list with just 19% of CISO presentations being rated as “excellent.”
Ask a CISO for a reaction, and you might get this: “The problem is the C-suite and the board just don’t understand technology.” Continuing with, “I showed them the stats on our patching cadence, CVSS score and NIST CSF maturity rating and they just looked at me blankly.”
Time was, the rest of the business might have bought into the idea IT security was unique among business functions, with processes, standards and language too technical to be understood by ordinary business folk. Cybersecurity management is technical, the thinking went, therefore the results could only be expressed in technical language, too.
That era came to a crashing end in the last few years when crippling malware and devastating data breaches made cyber risks a clear and present danger for the entire organization. Now, board members and senior management are likely to wave off CISO techno-speak and push to get their questions answered on their terms. Questions like:
CFO: “How much cyber risk do we have? Are we spending too much or too little?”
Audit: “Did you fix the high priority issues?”
CIO: “Are we spending our cybersecurity budget on the right things? What’s the ROI?”
Board/CEO: “We don’t want to be the next news headline. Are we secure?”
Now, the tables have turned: It’s the CISO who faces a vocabulary test at every senior-level meeting. Forward-looking infosec leaders are realizing they need to align themselves with the way the rest of the business thinks or fall into irrelevance.
Here’s some bottom line advice for any CISO looking to restart effective communication with the rest of the business: Follow the money. Understand that, if you’re not communicating about cyber risk in business terms, dollars and cents, you’re not communicating.
That means a shift in how CISOs understand cybersecurity risk. Factor Analysis of Information Risk (FAIR), an international standard model for quantifying cyber risk in financial terms, provides a pragmatic way to approach the problem.
According to FAIR, a risk always involves a “loss event” – in other words, the probability that some threat actor, e.g. a cyber criminal, uses some technique, e.g. use of stolen user credentials, that results an adverse effect, e.g. a data breach, causing a form of financial loss within a certain timeframe.
So, a risk is not a vulnerability, ransomware, the cloud or Fancy Bear, but rather they might be factors that contribute to risk.
It’s an exercise in critical thinking that clears away a lot of the mental brush for CISOs that mix up communication. With a focus on loss events, infosec leaders can start analysis of probable occurrence and probable impact of cybersecurity incidents, based on internal or industry data, and frame the conversation truly around risk, much as other business units can discuss market, financial, operational or enterprise risk. As in other risk management disciplines, cyber risk can be estimated as a range of probable financial outcomes, not “8 on a scale of 10” or “yellow but not as bad as red.”
A CISO can start directly answering questions on how much cyber risk the organization faces, what risks are higher and lower priority, where spending on controls should be directed and, based on experience with the effectiveness of those controls, what’s an expected return on investment in terms of risk reduction. For that ultimate, senior management/board question, “Are we secure?” there’s a ready answer, “I can’t promise complete security, but I can give the organization the means to make an informed decision on what financial level of cyber risk we want to carry based on the level of investment.” Guaranteed, there won’t be blank stares.
Related: Cyber Risk = Business Risk. Time for the Business-Aligned CISO