CEOs and corporate board members are awash in threat alerts and advice about cyber-risk. None of us can go a day without reading about an enterprise that was attacked or breached by cybercriminals. What’s interesting, though, is that CEOs and corporate directors most often hear about security only in the context of technology.
I’m a cyber technologist at heart, but I encourage them to see cyberthreats as a risk management issue — with an emphasis on management. Yes, technology matters, but it’s only one component of an effective cyber defense.
CEOs can start by considering the business relevance of cyber-risk in their unique enterprise context and then focus on how they work with their leadership team to address the issue. CEOs need to be more than just involved in cyber-risk management. They need to engage personally. Board members should follow this advice as well. They all need to engage more to understand the business risk management issues.
To be an effective cyber-committed CEO or corporate director, you should roll up your sleeves, shoulder-to-shoulder with your chief information security officer (CISO), and assess the business risk in business terms. CISOs can help make this happen. It requires a partnership — and that partnership is needed right now.
In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that "cybersecurity at our organization is a board-level concern and supported by our highest-level executives." While this top-level concern is encouraging, especially considering what’s at stake, how do you create a cyber-committed CEO and board? CEOs and boards should do these three key things:
- Capture the strategic picture of cybersecurity in the business.
- Speak the language of business impact in all cybersecurity communications.
- Build "muscle memory" for threat response at the CEO and board level.
To get a strategic picture of cybersecurity in the business, management should address four key elements in the enterprise.
- What are the threats to our most important lines of business — and how are they changing?
- What are we doing in response, and how effective is it?
- What are the strategic options and initiatives across our business? What are we doing to manage the risks they pose?
- What are the remaining risks, and what do we need to do about them?
These four elements need to arrive at a critical conclusion: What decisions or actions are we requesting from the board? The key is to focus on threats that create real risks for the business.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
My second principle for CEOs and boards is to make sure everyone addressing cyber-risk issues speaks the language of the business. Use of technical jargon can stymie your alignment and the effectiveness of your cyber defense.
Accenture research shows that only one-third of cybersecurity executives believe their organizations effectively monitor business-relevant threats. I believe that’s due in large part to inadequate communication and understanding of what makes a threat business-relevant from the start.
Most CEOs and boards receive scorecards and updates regarding cyber-risk, but are they tabulating the number of software patches installed (a technology hygiene metric) or addressing the larger business issue? Do we have business integrity in our foundational IT systems?
Although IT management metrics often report in technology terms, I believe CEO- and board-level cyber-defense scorecards and metrics need to be business-relevant, as do the explanation and communication of what they reveal.
Effective communications on cyber-risk for the CEO and board should address risk management issues such as: Can the business protect online customers so they continue to buy? Can we safeguard our most important assets such as contracts, pricing sheets, and M&A data? Can we prevent employees stealing from the company? Can we protect our intellectual property from the devastating impact its theft would have on business goals?
We often make significant investments in IT audits. We read the reports on the vulnerabilities that are revealed but fail to communicate and convey the impact for the business. That approach renders a meaningful response by the CEO and the board next to impossible. It also makes the eyes of CEOs and board members glaze over as they try to assess what the CISO is reporting to them. The lesson here is to report on business risk and potential business impact on all cybersecurity matters.
Finally, an engaged CEO and board are a prepared CEO and board. As with any team sport — an enterprise cyber defense is a team effort where the CEO must be a player-coach — you have to practice and prepare for game day. I advise CEOs and boards to build "muscle memory" for threat response. To do this, CEOs and boards should get hands-on in cybersecurity crisis drills, simulations, and tabletop exercises. There may be no better way to establish the business relevance of cybersecurity than to drill, review, and, drill again.
The benefits here are threefold. First, the CEO and board get a sense of what can go wrong. Second, everyone involved gets a sense of the breadth and scope of the cyber-risk issue. Third, there is a clear focus on what the CEO’s role is in shepherding the company through a cyber crisis and where the board will need to participate.
CEOs are comfortable with risk: They manage risk all the time. They understand how to deal with financial risk, regulatory risk, and fraud. Cyber-risk may be new and novel, but CEOs shouldn’t be uncomfortable managing it. The CISO can help: Think business relevance. Speak in business terms. And practice and prepare. The efforts will pay off with an engaged and cyber-committed CEO and board.