As 2020 nears its end, CISOs and infosec teams are expected to prepare board and C-suite briefings on the state of their organization's cybersecurity posture, including a comprehensive 2021 cybersecurity budget. This is no small feat, as one of the major issues plaguing CISOs today is that there is little visibility into an enterprise's attack surface. According to a Ponemon Institute survey, 88% of breaches are due to poor cyber hygiene that skews the outlook of a company's security posture. Ultimately, this means that security pros remain faced with the challenge of maintaining comprehensive visibility over their complex attack surface while also combating the evolving threat landscape.
What's more, recent statistics confirm that 16 billion records were exposed in the first half of 2020. As such, CISOs and security teams are overwhelmed by the challenge of maintaining and optimizing security posture, which can be an impediment to developing a strategic cybersecurity outlook for the board and C-suite. Given this lack of clarity into the attack surface and security posture, how can CISOs present a unified and strategic vision for 2021?
Step One: Gain an Understanding of the Organization's Cybersecurity Posture
With billions of security signals across an enterprise attack surface, CISOs must start with obtaining continuous, comprehensive visibility of the risks to their organization by utilizing artificial intelligence (AI) and deep-learning tools to make sense of this vast number of signals.
Since board members and other senior executives are rarely skilled cybersecurity pros, CISOs are best served by quantifying cyber-risk in financial terms that these stakeholders understand. By communicating in the language of business, rather than technology, CISOs will find a more receptive audience that better understands the information security program and is more likely to provide support for infosec team requests.
Step Two: Build a Board Presentation
Slide No. 1: Where are we on the cyber-risk spectrum?
● This first slide can help the CISO identify where their company is on the cyber-risk spectrum from the data gathered by the risk dashboards. Then he or she can quantify the risk scores in financial terms based on current security controls and outline the business impact of a breach.
Slide No. 2: Quantify cyber-risks across the business.
● Every enterprise is organized differently, so CISOs should break down risk areas in pre-existing structures. This might mean organizing by business unit or asset type. Regardless, the idea is to communicate the highest risk areas of the business that need additional focus.
Slide No. 3: Show progress with risk trends.
● In this slide, CISOs can offer a high-level summary with visualizations showcasing how risk levels have changed since the last board meeting. CISOs can also point out specific areas of risk that have decreased or increased and support those conclusions with data.
Slide No. 4: Where do we want to be?
● An open conversation with the board about where the organization should be on the cyber-risk spectrum is key. Companies have an ever-expanding attack surface as data grows and technology accelerates. In addition, employees are shifting toward remote work, which brings a whole new layer of security concerns.
Slide No. 5: How will we get there? Lay out a plan.
● In this last slide, CISOs can present a prioritized list of projects and deployments for the next quarter and the expected impact on overall risk relative to projected cost.
● To answer "how we will we get there?" effectively, CISOs need to know their security posture's most vulnerable areas. They can then present the top risk groups that need to be addressed, building a case by comparing the cost of mitigations to the likelihood of a breach and business impact of a breach for each area.
Step Three: Develop a 2021 Budget
CISOs recognize they cannot reduce their organization's cyber-risk to zero. Still, they can reduce it as much as possible by focusing on eliminating the most significant risks first. Therefore, when developing a budget, CISOs should consider a proactive risk-based approach that homes in on the biggest cyber-risks facing the business. This risk-based approach allows the CISO to quantify the risk across all areas of cyber weakness, and then prioritize where efforts are best expended. This ensures maximum impact from fixed budgets and teams.
The fact is, the National Institute of Standards and Technology reports that an average breach can cost an organization upward of $4 million — more costly than the overall budget for many organizations. Consider a scenario where one CISO invests heavily in proactive measures, successfully avoiding a major breach, while another invests primarily in reactive measures and ends up cleaning up after a major breach. The benefit is that one (the proactively inclined CISO) ends up spending 10x less overall.
As a CISO, if you place yourself in the board's shoes and clearly communicate and quantify your organization's overall cyber-risk, your message is better received, and you're more likely to get the support needed to transform your company's cybersecurity posture.
A Solid Foundation for Board Presentation Success
While there is more awareness among top leadership and board members regarding the daunting challenges of cybersecurity, a board member's view of cybersecurity is primarily concerned with cybersecurity as a set of risk items, each with a certain likelihood of happening with some business impact.
To present an accurate plan and budget, CISOs must understand the organization's IT inventory, including asset criticality, other risk items, and which compensating controls are effective. An AI solution can help an organization analyze the data signals across the attack surface on a continuous, real-time basis to quantify risk, prioritize the most important tasks, and define a plan and vision for the future.
As such, answering these questions ahead of time will help CISOs define a plan and take the organization in a positive direction.