Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/1/2017
10:00 AM
Ryan LaSalle
Ryan LaSalle
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Cyber-Committed CEO & Board

Here is what CISOs need to communicate to upper management about the business risks of mismanaging cybersecurity.

CEOs and corporate board members are awash in threat alerts and advice about cyber-risk. None of us can go a day without reading about an enterprise that was attacked or breached by cybercriminals. What’s interesting, though, is that CEOs and corporate directors most often hear about security only in the context of technology.

I’m a cyber technologist at heart, but I encourage them to see cyberthreats as a risk management issue — with an emphasis on management. Yes, technology matters, but it’s only one component of an effective cyber defense.

CEOs can start by considering the business relevance of cyber-risk in their unique enterprise context and then focus on how they work with their leadership team to address the issue. CEOs need to be more than just involved in cyber-risk management. They need to engage personally. Board members should follow this advice as well. They all need to engage more to understand the business risk management issues.

To be an effective cyber-committed CEO or corporate director, you should roll up your sleeves, shoulder-to-shoulder with your chief information security officer (CISO), and assess the business risk in business terms. CISOs can help make this happen. It requires a partnership — and that partnership is needed right now.

In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that "cybersecurity at our organization is a board-level concern and supported by our highest-level executives." While this top-level concern is encouraging, especially considering what’s at stake, how do you create a cyber-committed CEO and board? CEOs and boards should do these three key things:

  • Capture the strategic picture of cybersecurity in the business.
  • Speak the language of business impact in all cybersecurity communications.
  • Build "muscle memory" for threat response at the CEO and board level.

To get a strategic picture of cybersecurity in the business, management should address four key elements in the enterprise.

  • What are the threats to our most important lines of business — and how are they changing?
  • What are we doing in response, and how effective is it?
  • What are the strategic options and initiatives across our business? What are we doing to manage the risks they pose?
  • What are the remaining risks, and what do we need to do about them?

These four elements need to arrive at a critical conclusion: What decisions or actions are we requesting from the board? The key is to focus on threats that create real risks for the business.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

My second principle for CEOs and boards is to make sure everyone addressing cyber-risk issues speaks the language of the business. Use of technical jargon can stymie your alignment and the effectiveness of your cyber defense.

Accenture research shows that only one-third of cybersecurity executives believe their organizations effectively monitor business-relevant threats. I believe that’s due in large part to inadequate communication and understanding of what makes a threat business-relevant from the start.

Most CEOs and boards receive scorecards and updates regarding cyber-risk, but are they tabulating the number of software patches installed (a technology hygiene metric) or addressing the larger business issue? Do we have business integrity in our foundational IT systems?

Although IT management metrics often report in technology terms, I believe CEO- and board-level cyber-defense scorecards and metrics need to be business-relevant, as do the explanation and communication of what they reveal.

Effective communications on cyber-risk for the CEO and board should address risk management issues such as: Can the business protect online customers so they continue to buy? Can we safeguard our most important assets such as contracts, pricing sheets, and M&A data? Can we prevent employees stealing from the company? Can we protect our intellectual property from the devastating impact its theft would have on business goals?

We often make significant investments in IT audits. We read the reports on the vulnerabilities that are revealed but fail to communicate and convey the impact for the business. That approach renders a meaningful response by the CEO and the board next to impossible. It also makes the eyes of CEOs and board members glaze over as they try to assess what the CISO is reporting to them. The lesson here is to report on business risk and potential business impact on all cybersecurity matters.

Finally, an engaged CEO and board are a prepared CEO and board. As with any team sport — an enterprise cyber defense is a team effort where the CEO must be a player-coach — you have to practice and prepare for game day. I advise CEOs and boards to build "muscle memory" for threat response. To do this, CEOs and boards should get hands-on in cybersecurity crisis drills, simulations, and tabletop exercises. There may be no better way to establish the business relevance of cybersecurity than to drill, review, and, drill again.

The benefits here are threefold. First, the CEO and board get a sense of what can go wrong. Second, everyone involved gets a sense of the breadth and scope of the cyber-risk issue. Third, there is a clear focus on what the CEO’s role is in shepherding the company through a cyber crisis and where the board will need to participate.

CEOs are comfortable with risk: They manage risk all the time. They understand how to deal with financial risk, regulatory risk, and fraud. Cyber-risk may be new and novel, but CEOs shouldn’t be uncomfortable managing it. The CISO can help: Think business relevance. Speak in business terms. And practice and prepare. The efforts will pay off with an engaged and cyber-committed CEO and board.

Related Content:

As the Accenture Security Growth and Strategy lead, Ryan LaSalle plays a strategic role in helping clients adapt and thrive in an evolving security threat landscape. He drives the offering and innovation strategy, people agenda, industrialization of solutions, and global ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/1/2017 | 1:05:50 PM
CISOs and CEOs and Boards
Of course, the first step is to give the CISO that direct (or, at least, less indirect) line to the CEO and the Board.  Many CISOs still report to CIOs -- but there has been a trend away from that because of the inherent conflicts of interest between the office and budget of the CIO and the office and budget of the CISO.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/16/2017 | 12:39:34 PM
Cybersecurity and the board
Board memebers are getting more involved in cybersecurity in 3 areas:

1. they are becoming targets. remember colin powelll's gmail account leak by wikileaks? well it included a list of Salesforce's acquisition targets that Powell's received via email being on the baord of salesforce. Corporations today communicate their utmost sensitive data with board members and in the majority of the cases it happens through a non-secure personal email account.

2. they make the decision to transfer risk to cyberinsurance along with CEOs. CISOs are very rarely involved in this decision. Boards often are.

3. Educated Board members and CEOs look at Cybersecurity as a competitive advantage in a world where attacks are common, frequent and more and more our new normal.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...