As senior executives embrace digital transformation to move their business forward, cyber risk and security are a high priority. According to Aon’s 2017 Global Risk Management Survey, cyber risk is one of the top 10 business risks globally and number one in North America. Unfortunately, many executives lack the information or knowledge they need to mitigate cyber risk. The National Association of Corporate Directors’ (NACD) 2016–2017 Public Company Governance Survey finds that almost one-quarter of boards are dissatisfied with the reporting that management delivers on cybersecurity. At the same time, the report finds that only 14 percent of the respondents feel that their board has a high level of understanding about cyber risks.
If boards don’t understand cybersecurity, how can they govern cyber risk as they evolve their business through digital transformation? Using technology to build new business models, processes, software, and systems to increase efficiency, revenue, and margins helps to create a competitive advantage and disrupt markets. Think about companies like Amazon, Airbnb, and Square. But success depends on laying a strong cybersecurity foundation.
This changes the role of the CISO in the boardroom. They are not only reporting out on questions of risk, but having to be an educator as well. I recently discussed how the role of CISOs is evolving beyond the traditional operational functions of preventing, monitoring, and responding to cyber attacks. CISOs and IT leaders are being asked questions about risk management they have never been asked before. For example: Are threat actors bypassing our defenses? What is our applicable risk? What kind of impact can they have? This shift presents an opportunity for security and IT executives to take a stronger leadership role and become a strategic voice in long-term security planning.
As a CISO or IT leader, there are four steps you can take to boost your effectiveness when you meet with your board and senior executives and help drive secure digital transformation.
1. Understand your board’s appetite for risk and get involved in risk management
You need to invest in understanding business risk management so that you can effectively speak about risk in business terms and start to bridge the cybersecurity knowledge gap with enterprise leaders. To do this you must:
• Understand the goals, philosophy, and policy of the business with respect to risk and risk management.
• Demonstrate knowledge of the digital assets and business processes, including ownership, importance, business risks, and current mitigations.
• Take part in the enterprise and IT security risk management functions, and know all the stakeholders.
• Actively engage senior leaders in discussion of how cybersecurity can support existing business activity and spur new business initiatives.
2. Build a risk profile focused on protecting your enterprise’s most critical assets
Boards are responsible for governing risks. A risk profile informs them about cybersecurity risk in terms they understand so that they can determine the proper level of effort and investment needed to secure the company’s assets. As you build the risk profile, involve a wide variety of organizational stakeholders, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and the Information Risk Management Security (IRMS) team. Focus on the three risk areas within IT security: 1) IT infrastructure, including hardware, software, applications, and IoT devices; 2) connections to partners, vendors, and customers; and 3) people’s actions and awareness when interacting with systems. Look at each of these areas through the lens of what matters most to the business and what threats could result. For example, manufacturers typically have a low tolerance for risks from threats to production lines, while healthcare facilities are most concerned about risks that threaten patient monitoring systems, infusion systems, and patient records.
3. Measure cyber risk and establish real metrics
Here’s where the rubber meets the road. Measurement is crucial to understanding real risk and being able to show and talk about continuous improvement. You need to translate internal IT focused metrics into metrics the board can use to make decisions and act. To be most effective, these metrics should measure risk and cyber resilience in terms that are straightforward, can be baselined, show trends, and point to what a good outcome looks like. Board metrics may include risk statistics (e.g., an increase or decrease in industry threats, types of threats, policy exception, and security staffing or budget) and threat mitigation statistics (e.g., time to detect, contain, patch, and remediate; length of system outage; percentage of systems impacted; and type and number of systems affected).
4. Demonstrate effective cyber resilience and continuous improvement
You’re now in a position to demonstrate the ongoing stability, availability, confidentiality, and integrity of your enterprise information infrastructure. To communicate effectively with your board, focus your discussion on four broad topics: 1) recommended technologies and services that help ensure ongoing cyber resilience; 2) your approach to continuous improvement; 3) a review of metrics with the purpose of identifying and eliminating any that are less useful and adding new metrics over time; and 4) the business value of security, both in terms of return on investment (ROI) on security expenditures and as an enabler for new business initiatives.
As the IT industry, compliance and legal requirements, threat actors, and your business model evolve, you must continuously revisit these four steps to ensure you remain focused on protecting your enterprise’s most critical assets. In so doing, you can have a business-oriented, forward-looking conversation with your board and business leaders, one that creates a deeper understanding of cyber risks and demonstrates how an effective cybersecurity strategy is essential for digital transformation. Closing the cybersecurity knowledge gap can provoke real, long-term change, and create a new perspective that not only protects customers and revenue, but also lifts-up your organization as a leader in its industry.
