An effective strategy for communicating cybersecurity risk to the board

An effective strategy for communicating cybersecurity risk to the board

Understanding cybersecurity in practical terms offers many challenges. Joe Robertson, Director of Information Security and EMEA CISO at Fortinet, breaks down some of the most effective methods for spreading understanding and effective cybersecurity practice.

Most individuals on the board of directors for organisations are not cybersecurity experts. However, they are likely very aware of the global events going on in this tumultuous time of continued disruption by the COVID-19 pandemic, the war in Eastern Europe and the growing volume and sophistication of cyberattacks.

With these concerns in mind, they definitely want to know if their organisation is at risk.

You can also bet that although they don’t know all the technical jargon of cybersecurity, they are savvy enough to ask CISOs or CIOs for a status report on the organisation’s cyberdefences.

Joe Robertson, Director of Information Security and EMEA CISO, Fortinet

This presents a challenge for an IT security expert reporting to the board: ‘How can I effectively communicate our organisation’s cybersecurity risk? What metrics can I share with them that will properly answer the ‘are we at risk?’ question?’

Honestly, I don’t believe boards care as much about metrics as we sometimes think. They would rather have a simple yes or no answer to the questions: ‘Are we at risk?’ and ‘Are we protected?’ The problem with the first question is that the answer is always yes.

No matter how much you put in place to protect yourself, there’s always a risk. In the digital world, enterprises are always facing threats-no matter the time or place. As for the second question about protection, there is no simple yes-or-no answer. Because even if the answer is ‘yes, we’re protected,’ It begs a follow-up question: ‘Are we protected enough?’

The answers to better questions

Too many organisations think only about preventing attackers from getting in. They tend to focus on firewalls, antivirus, remote access authorizations, etc. However, there is a very real chance that an adversary has already circumvented these defences and is inside their networks.

When attackers have evaded frontline defences, CISOs need to have tools like sandboxing, deception technology and analysis in place to detect, deceive and quarantine the invaders.

I think CISOs need to educate board members on how to ask better questions regarding cybersecurity risk. The questions that an organisation’s leadership team should be asking include: ‘Where are our risks? Which are the highest priority? How can we reduce risks?’

These types of queries will help CISOs develop a strong cybersecurity strategy. They need to identify what the best cybersecurity posture is for the organisation and select activities that will protect the highest risks to the business. The board should be paying attention to this strategy and not just having cybersecurity as a check-off item on their monthly meeting agenda. Cybersecurity must be a board-level priority within the organisation.

Three cybersecurity basics the board must understand

Regarding a company’s cybersecurity risk, the board needs to understand three basics:

1) The threat of attack is existential for most organisations – For example, a ransomware attack that shuts down production could bring down the company permanently. It is literally that serious.

2) Cybersecurity requires prioritization – Cybersecurity may not be the most core part of a business, but it requires investment, just like other areas that organisations must invest in human resources, the legal department, facilities, IT and so forth.

3) Three types of investment – The investments that must be made in cybersecurity really come in three forms: people, products and processes.

A. People – Organisations need people who have the skills to understand and protect the business and its employees. This means investing in skills-whether your own staff or people to manage your outsourcers.

B. Products – CISOs need technologies that work together and are easy for the IT staff to manage and analyse. It should include threat intelligence subscriptions.

C. Processes – Investment in processes is not just a combination of people and products but it’s also having vigilance. Having processes in place means the organisation is constantly observing the threat landscape and becoming more and more aware of what it looks like. It is also about staying on top of new developments, both in terms of threats and types of defences.

Above are all things that the security team should be dealing with and CISOs need to find ways of abstracting them to the board level. Again, metrics might seem like a natural way of conveying the data, but the problem with metrics is that every organisation is different – and there are no real standard security measurements.

That said, there are several standards that CISOs can compare their organisations to as well as try to attain. They are: NIST in the US, the NIS directive in the European Union and, in production and operational environments, IEC 62443, which has four security levels.

What the cybersecurity team leader – whether they’re on the networking side or security side – needs to do, rather than provide metrics-specific numbers, is bring a dashboard to the board. A dashboard view is something that can give them a comprehensive idea of the state of the organisation’s protection.

A ROSI view to justify security investments

Another tool that CISOs may want to consider that isn’t a metric but can help justify security investments to top leadership and the board of directors is the EU’s Return on Security Investment (ROSI) formula. The methodology was developed by ENISA, which is a European security organisation. Essentially, what it does is enables a CISO to come up with a number that looks like an ROI (Return on Investment) percentage –allowing it to be compared to traditional investments.

With ROI, it shows how much a regular investment is going to return. With ROSI, it indicates how much monetary protection an organisation is going to get or how much loss is going to be avoided. ROSI allows the cybersecurity people to go into a board meeting armed with a number, so that they can show it to the board, who then have to decide between investing in, for example, a new machine for the production line or in protection for the organisation’s database.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive