Blog | May 05, 2020

Cybersecurity Strategy IS Risk Management:
Cementing the Relationship Between the Board and the CISO

Part 2 of 3 in a series on risk management. Click here to read Part 1 and here to read Part 3.

In our continuing blog series on risk management, part two explores the changing role of the chief security officer, the growing interest in cybersecurity at the board level and how cybersecurity must be a risk management factor.

Governing risk

It has long been said that the Chief Security Officer is the least interesting person to the board until they become the most interesting person—usually after a major security incident. The reality is that risk management has always been in the shadows when it comes to cybersecurity.

But given the increase in cyberattacks, massive data breaches and expensive penalties, the board of directors and officers of the company more than ever must pay attention because cyber risk now contributes to the overall mix of fiduciary responsibilities assigned to them, regardless of the company’s size.

In particular, cybersecurity ROI has become less about return on investment and more about risk of incarceration. Perhaps a stretch, but the sentiment sticks. Boards and senior executives are being held accountable for cyberattacks and damaging data breaches in terms of law suits, toppled stock values, financial losses and terminations.

Board members must familiarize themselves with the risks associated with growing cybercrime, emerging technologies and regulatory obligations, privacy laws in multiple jurisdictions and even levels of government. Once armed with at least enough knowledge to be dangerous, boards must afford their executive team with the budget, resources and people to protect the longevity of the business and its clients. And perhaps the most difficult issue is finding a common language by which they can communicate with their security teams to determine if resources are allocated appropriately and security initiatives are aligned to risk goals.

In our FutureWatch study of 1,250 global security and business leaders, CEOs, board members and technical executives unanimously predicted a major cyberattack in the next two to five years. Over 60 percent of respondents assume a major event will occur. Interestingly, 77 percent of CEO and board respondents consider their organization prepared for such an event. As expected, technical leaders are approximately 20 percent more likely to predict an attack and are 10 percent less optimistic than their business peers in their organization’s preparedness.

Frankly, business leaders now fear the consequences of a major cyberattack more so than regulatory retaliation. Operation disruption and reputational damage are of greater concern than potential financial losses and regulatory penalties. This trend reflects a shift from a compliance-centric security approach (avoiding punishment) to a more self-actualized mindset determined to reduce the risk of business-altering outcomes to protect the organization, its investors and clients.

It is also imperative that boards align business objectives and risk tolerances with security and information technology programs. A firm’s risk comes down to a finite set of factors including industry participation (think finance and healthcare), adoption of emerging technologies that bring competitive gain but introduce new and sometimes undetermined risk, and the maturity of their security programs designed to mitigate such risk. Not surprisingly, 64 percent of respondents in the same study predict a year-over-year increase in security budgets; while only five percent predict a reduction.

Recently, the National Association of Corporate Directors (NACD) and the UK National Cyber Security Centre published toolkits that boards can use to govern cyber risk. These resources provide differing levels of information, however there are five common pillars:

AWARENESS:

Understanding the impact of cyber risks and trends, experiencing the business impact of a breach and exposing personal risks

RISK:

Identifying non-public assets and protected data and documenting regulatory and contractual obligations

PROGRAM:

Establishing budget, staffing and programs that align to overall business risk priorities

REPORTING:

Annual planning, quarterly reporting, dashboards and peer/industry comparisons of performance

INCIDENTS:

Understanding incident response, board roles, critical business decisions and reporting to authorities and crisis communications

Perhaps the greatest challenge board’s face is communicating with the CISO and other technology leaders in the company. In the FutureWatch study respondents struggle to assign risk tolerance, understand resource requirements and measure and report security progress. Only a third of respondents are confident their security teams have access to the appropriate resources, and that the organization is spending adequately on security. Similar confidence rates are associated with an organization’s ability to monitor and report on cybersecurity programs (34 percent), confidence that cybersecurity programs align to business objectives (33 percent), and that high-profile assets are adequately secured (33 percent). In fact, a meager 29 percent of respondents indicated that their high-value or high-profile information is not adequately protected.

Risk in cybersecurity management

Let’s be really clear, cybersecurity professionals are in the business of managing risk. Firewalls and anti-virus are more than just intrinsically valuable and companies don’t buy them just for the sake of having them. They are used to avoid data breaches or business-disrupting cyberattacks.

Today, security leaders must align their security tech stack to risk tolerances and build out programs to mitigate unwanted risk. It means cybersecurity is part of the direct business equation and board and officer accountability. It is now a risk management issue that can be quantified and reported in the same way finance reports sales, costs and profit.

Our business mindset must shift from security as an IT problem to solve (and cost to minimize) to that of business risk management. It’s about building a communication chain that links the top of the organization with everyone participating in the ecosystem. This full stack alignment is critical to establishing a corporate culture that understands risk mitigation and doesn’t view cybersecurity as an inconvenience or necessary evil.

It’s not about unpatched VPNs, as in the case of Travelex or Apache servers like the Equifax breach. Let me repeat myself … it’s a business issue! And, even more than that, it’s a people issue. Creating a data recovery plan is only a first step in the process. We know that cybersecurity risks are highest when a lack of care is given to how people communicate, connect and process information. It is foolhardy to commit to changing the status quo on cybersecurity without taking a hard look at team members’ internal and external interactions at all levels. If your cybersecurity incident response plan is out-of-date, this helpful Pragmatic Security Event Management Playbook identify possible gaps and ensure crucial steps in the communications and damage control chain.

In part three of this blog series on risk management, we look beyond Covid-19 to consider whether we are experiencing a seasonal migration where we return to a cyber world that resembles a pre-quarantine world versus a climatic shift in the way we do business and view cybersecurity priorities going forward.

Mark Sangster

Mark Sangster

Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.