CISO Bill Brown knows how high-profile cyber security breaches like SolarWinds can raise alarm bells among executives and board members when they become headline news.
When leading information security for three previous companies, he remembers executives would call him during their morning train commutes after reading about the latest security breach, seeking reassurance. “Could this happen to us? Should we be concerned? But nothing more than that.”
Today he’s thankful that executives and the board at Abacus Insights, a healthcare-specific data integration platform where he now leads IT security, “happened to be very security savvy,” but many boards today are not.
While SolarWinds grabbed headlines, “think about all the other impacts to the business that were happening at the same time,” namely COVID-19, says John Pescatore, director of emerging security trends at The SANS Institute, who leads quarterly cyber security briefings for board members. “To the board, cyber security is one of many risks they’re involved in having responsibility for, and by far not the biggest risk for most companies.”
Some 85 per cent of security leaders in a recent Trend Micro/Enterprise Strategy Group survey say that boards of directors are more engaged in security decisions and strategy than they were two years ago. Those executives, however, are often passively drawn in because of a major breach, new compliance requirements or a new security program by a CISO.
The report recommends adding a business information security officer (BISO) to improve business security alignment, building a top-down measurable program, and changing reporting structures so the CISO reports directly to the CEO. Ultimately, analysts say it’s the CISO’s responsibility to build relationships with executives and the board and have regular conversations with them.
“It’s not just the board ignoring things or executives minimising things, but cyber security people staying in their lane,” says Jon Oltsik, senior principal analyst at Enterprise Strategy Group and author of the report. “We need progressive and proactive CISOs to kind of shake the world up.”
To maintain momentum, CISOs must keep the board’s attention with a steady stream of relevant information delivered in business terms and presented in the form of risk and strategy for cyber security, not just tech solutions. Security leaders and analysts offer some tips, tools, and frameworks to help translate security into strategy and keep the conversation going.
Match up with business models
If CISOs want to speak in board terms, “you have to speak strategically, and there are strategic business tools to do that,” says Lance Spitzner, director of SANS security awareness.
SANS offers security leaders a five-day, “MBA-type course” to learn about the business models and frameworks that executives and the board use to measure risk and develop strategy. CISOs can study PEST models, SWOT analysis, balanced scorecards, or how to combine the Capability Maturity Model Integration (CMMI) model with the NIST Cybersecurity Framework to communicate to board members the maturity of their different strategic security initiatives.
CISOs don’t have to know all of these models, just those that are important to their board, Spitzner says. “Talk to a couple of board members and ask what type of models they use in board meetings.”
Some industry specific security frameworks also promote board discussions. Abacus recently completed a HITRUST certification, a common security framework in the healthcare sector that is frequently required by organisations that handle protected health information.
“These certifications put structure around your security activities,” including requirements around communicating with the board, Brown says. Some of the controls include regular conversations with the executive team about their role and business partners’ roles in protecting assets, with responsibility equal to that of the CISO.
Data visualisation tools can also help CISOs better translate cyber data into business impact. Brown created a quarterly heat map chart for the Abacus board that uses colours to represent data values in a table—from low probability, low impact issues in green, to high-probability, high impact issues in red.
The data values show potential risks he has identified, what the likelihood is for each to happen at Abacus, and what the impact would be if it did happen, including effects on customers' perception of the business and on relationships with vendors and partners. His team regularly monitors and updates this data.
"The board looks forward to seeing how the heat map has changed since the last quarter," Brown says. "If something is high potential, high impact, (we can discuss) what the security team has been doing to make them less likely or less impactful."
Benchmark against your competitors
Directors and executives want CISOs to benchmark their work against the company’s competitors, similar to what CFOs and COOs present to the board, Pescatore says.
“The board would like to hear, are we worse off or better off than our competitors when it comes to security initiatives or securing our supply chain,” he says. “It’s a hard thing to do quite often,” but there are resources that can help. The National Council of Information Sharing and Analysis Centers is an industry-specific organisation that gathers and shares information on cyber threats to critical infrastructure.
Information sharing and analysis centers (ISACs) also facilitate the sharing of data between public and private sector groups. The council lists 24 industries as participating members, including, healthcare, retail and hospitality, financial services, media, and oil and gas. “There is ability for people to get together and benchmark against each other,” Pescatore says. “It just hasn’t been amplified enough.”
Leverage the push for legislation
The SolarWinds attack on US government agencies has the new administration laser focused on fortifying the nation’s cyber security defences. There’s also a growing push from both sides of the aisle for federal privacy legislation.
Some bills introduced in recent years may finally be gaining traction. It’s a hot topic that will have Congress wrangling to reach consensus on whether any new federal laws can preempt state legislation already set to go into effect.
The California Privacy Rights and Enforcement Act (CPRA), for instance, passed in November, and will be fully operative on January 1, 2023. It requires companies in the state, with more than US$25 million in gross revenue, to show reasonable cyber security safeguards, submit an annual cyber security audit and make regulatory filings of risk assessment to the newly created California Privacy Protection Agency, and requires contractual clauses and other safeguards to address supply chain security and privacy risks. Eight other states have similar versions of CPRA in the works.
CISOs should leverage this spotlight on new legislation to share how proactive cyber security measures and investments could position the company for compliance, analysts say.
It may sound basic, but CISOs need to build and nurture relationships with executives and the board beyond just being on-call for information requests or quarterly meetings, analysts say.
“Having that open line of communication all the time and not just during a major crisis is core, because otherwise security is put on the back burner and not taken seriously,” says Michael Oberlaender, author of the book, Global CISO: Strategy, Tactics and Leadership.
Relationships build allies, Brown says. “When bad things do happen, then you have that relationship already, and you’re all in it to solve together rather than finger pointing.”