Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/1/2017
10:00 AM
Ryan LaSalle
Ryan LaSalle
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Cyber-Committed CEO & Board

Here is what CISOs need to communicate to upper management about the business risks of mismanaging cybersecurity.

CEOs and corporate board members are awash in threat alerts and advice about cyber-risk. None of us can go a day without reading about an enterprise that was attacked or breached by cybercriminals. What’s interesting, though, is that CEOs and corporate directors most often hear about security only in the context of technology.

I’m a cyber technologist at heart, but I encourage them to see cyberthreats as a risk management issue — with an emphasis on management. Yes, technology matters, but it’s only one component of an effective cyber defense.

CEOs can start by considering the business relevance of cyber-risk in their unique enterprise context and then focus on how they work with their leadership team to address the issue. CEOs need to be more than just involved in cyber-risk management. They need to engage personally. Board members should follow this advice as well. They all need to engage more to understand the business risk management issues.

To be an effective cyber-committed CEO or corporate director, you should roll up your sleeves, shoulder-to-shoulder with your chief information security officer (CISO), and assess the business risk in business terms. CISOs can help make this happen. It requires a partnership — and that partnership is needed right now.

In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that "cybersecurity at our organization is a board-level concern and supported by our highest-level executives." While this top-level concern is encouraging, especially considering what’s at stake, how do you create a cyber-committed CEO and board? CEOs and boards should do these three key things:

  • Capture the strategic picture of cybersecurity in the business.
  • Speak the language of business impact in all cybersecurity communications.
  • Build "muscle memory" for threat response at the CEO and board level.

To get a strategic picture of cybersecurity in the business, management should address four key elements in the enterprise.

  • What are the threats to our most important lines of business — and how are they changing?
  • What are we doing in response, and how effective is it?
  • What are the strategic options and initiatives across our business? What are we doing to manage the risks they pose?
  • What are the remaining risks, and what do we need to do about them?

These four elements need to arrive at a critical conclusion: What decisions or actions are we requesting from the board? The key is to focus on threats that create real risks for the business.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

My second principle for CEOs and boards is to make sure everyone addressing cyber-risk issues speaks the language of the business. Use of technical jargon can stymie your alignment and the effectiveness of your cyber defense.

Accenture research shows that only one-third of cybersecurity executives believe their organizations effectively monitor business-relevant threats. I believe that’s due in large part to inadequate communication and understanding of what makes a threat business-relevant from the start.

Most CEOs and boards receive scorecards and updates regarding cyber-risk, but are they tabulating the number of software patches installed (a technology hygiene metric) or addressing the larger business issue? Do we have business integrity in our foundational IT systems?

Although IT management metrics often report in technology terms, I believe CEO- and board-level cyber-defense scorecards and metrics need to be business-relevant, as do the explanation and communication of what they reveal.

Effective communications on cyber-risk for the CEO and board should address risk management issues such as: Can the business protect online customers so they continue to buy? Can we safeguard our most important assets such as contracts, pricing sheets, and M&A data? Can we prevent employees stealing from the company? Can we protect our intellectual property from the devastating impact its theft would have on business goals?

We often make significant investments in IT audits. We read the reports on the vulnerabilities that are revealed but fail to communicate and convey the impact for the business. That approach renders a meaningful response by the CEO and the board next to impossible. It also makes the eyes of CEOs and board members glaze over as they try to assess what the CISO is reporting to them. The lesson here is to report on business risk and potential business impact on all cybersecurity matters.

Finally, an engaged CEO and board are a prepared CEO and board. As with any team sport — an enterprise cyber defense is a team effort where the CEO must be a player-coach — you have to practice and prepare for game day. I advise CEOs and boards to build "muscle memory" for threat response. To do this, CEOs and boards should get hands-on in cybersecurity crisis drills, simulations, and tabletop exercises. There may be no better way to establish the business relevance of cybersecurity than to drill, review, and, drill again.

The benefits here are threefold. First, the CEO and board get a sense of what can go wrong. Second, everyone involved gets a sense of the breadth and scope of the cyber-risk issue. Third, there is a clear focus on what the CEO’s role is in shepherding the company through a cyber crisis and where the board will need to participate.

CEOs are comfortable with risk: They manage risk all the time. They understand how to deal with financial risk, regulatory risk, and fraud. Cyber-risk may be new and novel, but CEOs shouldn’t be uncomfortable managing it. The CISO can help: Think business relevance. Speak in business terms. And practice and prepare. The efforts will pay off with an engaged and cyber-committed CEO and board.

Related Content:

As the Accenture Security Growth and Strategy lead, Ryan LaSalle plays a strategic role in helping clients adapt and thrive in an evolving security threat landscape. He drives the offering and innovation strategy, people agenda, industrialization of solutions, and global ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/16/2017 | 12:39:34 PM
Cybersecurity and the board
Board memebers are getting more involved in cybersecurity in 3 areas:

1. they are becoming targets. remember colin powelll's gmail account leak by wikileaks? well it included a list of Salesforce's acquisition targets that Powell's received via email being on the baord of salesforce. Corporations today communicate their utmost sensitive data with board members and in the majority of the cases it happens through a non-secure personal email account.

2. they make the decision to transfer risk to cyberinsurance along with CEOs. CISOs are very rarely involved in this decision. Boards often are.

3. Educated Board members and CEOs look at Cybersecurity as a competitive advantage in a world where attacks are common, frequent and more and more our new normal.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/1/2017 | 1:05:50 PM
CISOs and CEOs and Boards
Of course, the first step is to give the CISO that direct (or, at least, less indirect) line to the CEO and the Board.  Many CISOs still report to CIOs -- but there has been a trend away from that because of the inherent conflicts of interest between the office and budget of the CIO and the office and budget of the CISO.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.