The CISO s Ultimate Guide to Reporting to the Board. Win respect, earn more budget and change the world one security improvement at a time.

Transcription

1 The CISO s Ultimate Guide to Reporting to the Board Win respect, earn more budget and change the world one security improvement at a time.

2 If you re an IT security and risk executive being called to report to the board, you re not alone. CSOs, CISOs and CIROs are increasingly required to report to CEOs and boards of directors about cybersecurity risk in the enterprise. It s a golden opportunity for those security executives to make security champions out of the most influential leaders in the organization. Unfortunately, it s also an opportunity often squandered. If you feel like you re having a hard time getting through to your CEO and board of directors, it might be time to rethink your approach. Here are some critical ways you can improve how you communicate risk up the management chain. Executives and directors reporting infosec as a top boardroom issue 63% 33% % 22% 25% 93 percent 22 percent of 25 percent of security leaders board audit review IT risk brief the board of directors on committees in the United States assessments cybersecurity strategy say the quality of cybersecurity information they receive is good

3 How do boards want cybersecurity information? High-level security strategy descriptions Approach reporting with the rigor of a CFO. First thing s first. One of the best ways you can take advantage of your audience with the board is by taking a page from the CFO playbook. When CFOs sit down with directors, they ll come with a financial statement in hand to give a look at what happened in the previous quarter. They ll typically have a balance sheet that gives a point-in-time snapshot of what s happening now the current financial posture, as it were. And then they ll offer a waterfall analysis to explain how things look against financial forecasts basically a comparison of actual performance versus predicted or expected performance. The CFO s reporting is very regimented and disciplined and it gives the board a numerical view of where the organization has been, where it is now, where it wants to be and how well it is doing to achieve those goals. Now, we understand that there s a lot about security that requires qualitative explanations in addition to the quantitative ones. We get it. In accounting, the numbers will match they have to. In security it is more complicated than that. The point here is that for CISOs to be taken seriously by the board they at least need to try to be more quantitative. If you find some consistent measurements to follow and are disciplined about how they re collected and analyzed, you re far more likely to get better mindshare from the board. Risk metrics Security and risk posture compared to peers Description of security technologies Audit and compliance status I am not regularly briefed on our security posture Anecdotes

4 Less Useful More Useful Most Useful Focus on metrics quality over quantity. At the same time, remember that numbers aren t there to make pretty graphs on slide decks. They re meant to tell a story. And if you choose to clutter your story with irrelevant numbers, charts and graphs, you ll be ignored. Many security executives take to heart the lesson that boards respect metricsdriven reports. But they make the mistake of filling their presentations with too many broad, raw numbers that offer no context or perspective for riskbased oversight. Think for a minute. If you present a statistic such as the total number of malware attacks over the past year, how useful is that to the board? After all, is there any way for the board to know how that compares to other previous years, whether things are improving, which assets are affected, and most importantly, what impact it has on the business? It is a metric that does not provide the board members with any understanding of how well the organization is measuring risk so that they can make the right decisions. Instead, the board would rather see a metric that measures the effectiveness of response to this body of attacks. Even better, the board wants to hear about response effectiveness specifically indexed against asset value. Total number of malware attacks Total Unpatched Systems Total data loss prevention violations Mean time to respond over each of the past 12 months Patch Latency (length of time systems remain unpatched), by line of business and severity Probable number of sensitive data records that will be lost over the coming 12 months Mean time to respond during each of the past 12 months to attacks against infrastructure containing PII or sensitive IP Patch latency for mission critical systems, over each of the past 12 months Cost impact of the probable number of sensitive data records that will be lost over the coming 12 months

5 Context Matters. Remember: when reporting observations and metrics to the board, context matters. Context could come through a baseline measurement to track progress. It could mean contextualizing with a time-based measurement to offer insight into speed and efficacy of response. Or it could mean comparing a figure against an industry benchmark to offer an idea of how well the organization is doing compared to its peers. Most important of all, though, metrics should offer business context to the board. These leaders want prioritization rankings based on the value of assets being protected. They want analytics that forecast losses in the event of something bad happening to a particular system or batch of closely held information. They want to see numbers that demonstrate how a new security investment is reducing risk to high value assets. Being able to make a distinction between risks to high value systems and all of the other infrastructure in your environment is critical. But it s not easy. In order to do that, you ll need to do the foundational work of knowing exactly what your crowned jewels are and where they re located.

6 How are our most important assets being protected in comparison to our least important assets? How does our cybersecurity strategy align with our business objectives? How do we measure the effectiveness of our cybersecurity program? What would it cost us if the sensitive data in our ecommerce system was stolen? What kind of employee and third party vendor user behavior is elevating our risk of getting breached? Answer These Questions To Give Context What process is in place to identify if we are breached? What percentage of our vendor users with access to our network are putting us at risk of a compromise? What steps are we taking to remediate that risky behavior? What is each line of business doing to manage its own department s cyber risk? By how much has that cyber risk decreased during the past quarter?

7 Respect The Board Respect is a two-way street. If you don t come to the table with a healthy respect for your directors, you re not likely to win back that respect from them. Directors are typically smart, competent and confident people. They may not be experts in security but they do know how to steer a business away from risk and toward profit by listening to subject matter experts. However, they expect those experts to frame that advice around relevant business concerns. In other words, you re not going to impress a board with how smart you are by throwing technical jargon at them that will go over their heads. Quite the opposite. Instead, they ll be frustrated that you don t understand their concerns. They ll hammer you with questions about what those technical points actually mean for the business. And once you eventually speak the language they understand the language of business risk they ll wonder why you didn t start there in the first place. Similarly, transparency and honesty are the currency of a respectful relationship. Are you thinking about holding back certain data or maybe changing a baseline start date to make performance look a little better? Just stop. That kind of dishonesty will eventually be discovered and it will not only undermine your credibility, but could cost you your job. In the same vein, if you have metrics that are based on incomplete data sets, that s OK as long as you re transparent about what you don t know. Let the board know where the blind spots are and help them decide if further investment or work is needed to clear them up percent of boards look for risk and cybersecurity experience from new directors

8 Develop a reproducible process A large number of security executives today take a point-in-time approach to reporting to the board. They might ask their reports for status updates on very specific security metrics and manually compile them into a spreadsheet. They toss those numbers into some slides and then give their presentation. If they survive that ordeal, they take a deep breath, put the spreadsheet away and come back to do the same thing three to six months later. The problem is that those reports are disconnected from how you are actually combatting cyber risks every single day. It s a continuous process that, you should be telling board members, so they can track progress from period to period. To reliably do that, you re going to need a better process for gathering metrics and observations. Ultimately, you re seeking the most elegant way to show the real state of affairs in cyber security risk. As a security expert, your role is to be a risk leader who is tasked with presenting the most accurate and complete information possible so that the board understands its risk posture, can make decisions and has a yardstick to measure whether it s getting better over time. 50 percent of senior IT professionals don t have procedures in place to measure their existing security programs

9 5 Keys to Reliable Reporting Metrics DEFINABLE There s a standardized method for collecting data presented to the board. AUTOMATED The means of collection is reproducible and, preferably, automated to ensure precise measurements over time. TRACEABLE The process for collecting and parsing data is transparent and easy to understand. TRUSTWORTHY Metrics are based on attributes that aren t unduly affected by personal bias or which can be gamed by those being reported on. CONTINUOUS Data is collected in as near to real time as possible.

10 For more information, please visit