Boards Don't Want Security Promises — They Want Action
CISOs must demonstrate that security processes and updates reduce risk in measurable ways. Put emphasis on action, get the basics right, and improve processes.
Cybersecurity has never been more visible in businesses. The sheer number of stories around hacks affecting companies has pushed this up the agenda, while the Securities and Exchange Commission requirements on cybersecurity reporting will force others to improve their position, too. The impact here means that management boards are now more likely than ever to include the CISO or equivalent.
According to Heidrick and Struggles' 2022 Chief Information Security Officer Survey, CISOs already have the ear of the board — 88% present monthly on their activities to the full board or to a cybersecurity board committee.
So, as cybersecurity professionals, we should have reached that promised land where our influence is felt and we can achieve the goals that we want to achieve, right? Wrong. Like a dog that chased a car, we have now caught it and must work out exactly what we are going to achieve with the resulting responsibility. The truth is, the hard work is only beginning.
Action, Not Words
It's not enough to provide insight around security that the board can understand, even though this is a skill in its own right. The biggest challenge that CISOs face is how to demonstrate that our security processes and updates will reduce risk in measurable and achievable ways. For those of us who have fought to get a seat at the table, this immediate response might seem like a poor return on all that investment.
Boards are concerned with risk and liabilities, so your approach should concentrate on risk, likelihood, and mitigations. This emphasis on action can be a tremendous spur to making changes in your approach. This also can be an opportunity to look at how to get more of the basics right across your operation. Tracking areas such as asset management and patching might not be relevant for board reporting, but improving these processes using automation and AI can lead to significant improvements.
For instance, getting more board support can provide the opportunity to take that "blank sheet of paper" approach to security planning and process, using the board's authority to force updates or new ways of working. However, for most established companies, this approach may not be possible. Most organizations consider they will be breached when articulating their security posture. They now need to go a step further and accept change is inevitable, and that some traditional processes and techniques simply aren't fast enough to keep up with the level and sophistication of current threats.
Demonstrate Impact
The second element here is to demonstrate that your actions are having an impact. For this, you must consider whether your changes will show immediate results or will be felt in the long term. Equally, you will have to understand whether these results represent one-off improvements or opportunities for long-term gains, as this will affect how you discuss these areas with the board. This approach comes with a warning — make sure you look at the risk. While quick wins are good for public relations, they don't always reduce risk, so CISOs must do both.
For those new in the role, making changes might lead to fast improvements. As an example, improving prioritization on patches should make it easier to remediate critical and high-security risk issues. Proving that these issues are fixed within your agreed service-level agreement parameters is a great way to demonstrate that you are managing issues — and therefore risk — effectively. However, your SLA may need to change — for instance, 30 days to carry out patching around critical issues isn't good enough. This data can also be used to reduce cyber-insurance premium costs, as you can demonstrate a well-managed and maintained system over time.
As part of this, you should also look at how to manage expectations around longer-term performance. As you improve, the level of risk will continue to drop over time — but the curve will be less steep, and gains will be more marginal. Over time, the cost to improve performance may be much higher and the return less visible. This is the sign of an effective, mature cybersecurity program with strong risk management emphasis, but it will take a long time to achieve this. Setting expectations around performance and risk early will, therefore, help get you the breathing room that you need to continue taking action.
Take Action
Getting board-level attention is one objective that many CISOs have, as it is part of their career journey and puts them in good stead for future roles. This puts the emphasis on what you are doing and how your priorities are getting carried out. According to one CISO I spoke with around board reporting, it is similar to the famous quote by Oscar Wilde: "The only thing worse than being talked about is not being talked about." Taking action is the best approach to show that you are worthy of that attention.
About the Author
You May Also Like