Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/1/2017
10:00 AM
Ryan LaSalle
Ryan LaSalle
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Cyber-Committed CEO & Board

Here is what CISOs need to communicate to upper management about the business risks of mismanaging cybersecurity.

CEOs and corporate board members are awash in threat alerts and advice about cyber-risk. None of us can go a day without reading about an enterprise that was attacked or breached by cybercriminals. What’s interesting, though, is that CEOs and corporate directors most often hear about security only in the context of technology.

I’m a cyber technologist at heart, but I encourage them to see cyberthreats as a risk management issue — with an emphasis on management. Yes, technology matters, but it’s only one component of an effective cyber defense.

CEOs can start by considering the business relevance of cyber-risk in their unique enterprise context and then focus on how they work with their leadership team to address the issue. CEOs need to be more than just involved in cyber-risk management. They need to engage personally. Board members should follow this advice as well. They all need to engage more to understand the business risk management issues.

To be an effective cyber-committed CEO or corporate director, you should roll up your sleeves, shoulder-to-shoulder with your chief information security officer (CISO), and assess the business risk in business terms. CISOs can help make this happen. It requires a partnership — and that partnership is needed right now.

In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that "cybersecurity at our organization is a board-level concern and supported by our highest-level executives." While this top-level concern is encouraging, especially considering what’s at stake, how do you create a cyber-committed CEO and board? CEOs and boards should do these three key things:

  • Capture the strategic picture of cybersecurity in the business.
  • Speak the language of business impact in all cybersecurity communications.
  • Build "muscle memory" for threat response at the CEO and board level.

To get a strategic picture of cybersecurity in the business, management should address four key elements in the enterprise.

  • What are the threats to our most important lines of business — and how are they changing?
  • What are we doing in response, and how effective is it?
  • What are the strategic options and initiatives across our business? What are we doing to manage the risks they pose?
  • What are the remaining risks, and what do we need to do about them?

These four elements need to arrive at a critical conclusion: What decisions or actions are we requesting from the board? The key is to focus on threats that create real risks for the business.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

My second principle for CEOs and boards is to make sure everyone addressing cyber-risk issues speaks the language of the business. Use of technical jargon can stymie your alignment and the effectiveness of your cyber defense.

Accenture research shows that only one-third of cybersecurity executives believe their organizations effectively monitor business-relevant threats. I believe that’s due in large part to inadequate communication and understanding of what makes a threat business-relevant from the start.

Most CEOs and boards receive scorecards and updates regarding cyber-risk, but are they tabulating the number of software patches installed (a technology hygiene metric) or addressing the larger business issue? Do we have business integrity in our foundational IT systems?

Although IT management metrics often report in technology terms, I believe CEO- and board-level cyber-defense scorecards and metrics need to be business-relevant, as do the explanation and communication of what they reveal.

Effective communications on cyber-risk for the CEO and board should address risk management issues such as: Can the business protect online customers so they continue to buy? Can we safeguard our most important assets such as contracts, pricing sheets, and M&A data? Can we prevent employees stealing from the company? Can we protect our intellectual property from the devastating impact its theft would have on business goals?

We often make significant investments in IT audits. We read the reports on the vulnerabilities that are revealed but fail to communicate and convey the impact for the business. That approach renders a meaningful response by the CEO and the board next to impossible. It also makes the eyes of CEOs and board members glaze over as they try to assess what the CISO is reporting to them. The lesson here is to report on business risk and potential business impact on all cybersecurity matters.

Finally, an engaged CEO and board are a prepared CEO and board. As with any team sport — an enterprise cyber defense is a team effort where the CEO must be a player-coach — you have to practice and prepare for game day. I advise CEOs and boards to build "muscle memory" for threat response. To do this, CEOs and boards should get hands-on in cybersecurity crisis drills, simulations, and tabletop exercises. There may be no better way to establish the business relevance of cybersecurity than to drill, review, and, drill again.

The benefits here are threefold. First, the CEO and board get a sense of what can go wrong. Second, everyone involved gets a sense of the breadth and scope of the cyber-risk issue. Third, there is a clear focus on what the CEO’s role is in shepherding the company through a cyber crisis and where the board will need to participate.

CEOs are comfortable with risk: They manage risk all the time. They understand how to deal with financial risk, regulatory risk, and fraud. Cyber-risk may be new and novel, but CEOs shouldn’t be uncomfortable managing it. The CISO can help: Think business relevance. Speak in business terms. And practice and prepare. The efforts will pay off with an engaged and cyber-committed CEO and board.

Related Content:

As the Accenture Security Growth and Strategy lead, Ryan LaSalle plays a strategic role in helping clients adapt and thrive in an evolving security threat landscape. He drives the offering and innovation strategy, people agenda, industrialization of solutions, and global ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/16/2017 | 12:39:34 PM
Cybersecurity and the board
Board memebers are getting more involved in cybersecurity in 3 areas:

1. they are becoming targets. remember colin powelll's gmail account leak by wikileaks? well it included a list of Salesforce's acquisition targets that Powell's received via email being on the baord of salesforce. Corporations today communicate their utmost sensitive data with board members and in the majority of the cases it happens through a non-secure personal email account.

2. they make the decision to transfer risk to cyberinsurance along with CEOs. CISOs are very rarely involved in this decision. Boards often are.

3. Educated Board members and CEOs look at Cybersecurity as a competitive advantage in a world where attacks are common, frequent and more and more our new normal.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/1/2017 | 1:05:50 PM
CISOs and CEOs and Boards
Of course, the first step is to give the CISO that direct (or, at least, less indirect) line to the CEO and the Board.  Many CISOs still report to CIOs -- but there has been a trend away from that because of the inherent conflicts of interest between the office and budget of the CIO and the office and budget of the CISO.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.