How Should CISOs Report Cyber Risks to Boards?

Making the Grade

In KPMG’s “2015 Global Audit Committee Survey,” audit committee members ranked the quality of the information they received about cyber risks last among the 12 types of risks reported to them. Forty-one percent of respondents rated cyber risk communications as “needs improvement.” Basically, boards gave CISOs a grade of F or, at best, a D.

Yet failure is not an option for CISOs in this new role. They are increasingly being turned to for counsel and viewed as a risk leader in the enterprise. As an IBM-sponsored report, “IBM Empowers the CISO,” explained, “Security reporting in the past has often been via complex reports and presentations. This has meant that the boardroom has often had little real understanding of the real state of IT security. One thing that the boardroom is comfortable with is the use of BI to drill down through complex data to get a clear understanding of the profit, loss and risk associated with business activity.”

The problem is often too much data. The report stated that the average CISO has more than 50 tools used to manage security. While it may be tempting for a CISO to report on all the security data available, doing so would waste the board’s time and damage the board’s view of the CISO as a risk leader. It is up to the CISO to sift through the mountains of security data to provide the board with a clear picture of the organization’s cyber risks.

What Are Boards Looking For?

Of course, CISOs should be ready to address what boards want to know about cyber risks. In its report on cybersecurity oversight in the boardroom, KPMG listed the three most important questions for boards to ask as:

  1. What are the new cybersecurity threats and risks, and how do they affect our organization?
  2. Is our organization’s cybersecurity program ready to meet the challenges of today’s and tomorrow’s cyberthreat landscape?
  3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?

When it comes to engagement from the board, the advice included for board directors emphasized the need to:

  • Understand the risk management approach and linkage to enterprise risk;
  • Review and approve risk tolerance;
  • Understand the current maturity of control structure; and
  • Review the relevancy of the selected control framework.

How Can Tools Help?

CISOs and their teams should look for tools that “present data to the boardroom and specifically the CISO in an actionable state, rather than what is often perceived as noise,” according to the report. This means dashboards with near real-time representation of cyber risks and the ability to drill down by business sector to compare one sector with another or identify a source of high risk, and across time periods to see how the risks changed over time. The goal for such a tool should be, as the report put it, “helping the CISO engage with the board in terms of risk and budget.”

To illustrate how tools can assist the CISO in doing just that, consider two solutions that are briefly covered.

Brinqa

Brinqa describes itself as “a new, unified risk management system” that “combines a robust and flexible architecture and capabilities that have proven to be a practical solution to the information technology risk management dilemma.”

Brinqa is a quantitative solution that can summarize data from a multitude of security tools into a common risk language to evaluate the overall posture and identify critical gaps.

Accliviti

Accliviti “was developed to fill three large gaps in information security management: 1) to provide an accurate measurement of security across large enterprises; 2) to visually guide development of a strong information security framework; and 3) to communicate security to management as a justification for security investments.”

In contrast to Brinqa’s quantitative approach, Accliviti uses qualitative input from the organization’s own security professionals to gauge the level of maturity of each of the components of the cyber risk program.

So while Brinqa’s dashboard can crunch security data from a number of products and produce up-to-date reports from that data, Accliviti’s dashboard can elevate the discussion to focus on the level of maturity desired and achieved for each of the components of a security framework.

Here is a screenshot of Accliviti’s Improvement Summary dashboard that shows the initial score, revised score, desired goal maturity score and maturity delta from that goal for each of five categories tracked as part of an ISO security program.

Image of the Process Improvement Summary screen of the Accliviti tool - reports metrics on maturity level of the information security program itself

These are only two of many more options available today that were not available just five years ago. As it isn’t feasible to present an exhaustive list of ways or tools that CISOs could use to report on cyber risks, security leaders should explore options for cyber risk dashboards to find similar tools or simply to glean ideas for how to spruce up their next presentation/report.

Reporting and Managing Cyber Risks

As Norman Marks, author of two books of relevance to CISOs, “World-Class Internal Auditing” and “World-Class Risk Management,” explained, an enterprise risk management program should support “effective, informed and intelligent decision-making.” The next time you are preparing to present to executives or board directors, ask yourself if your presentations and reports meet those criteria.

Better yet, ask your audience if your data met their needs. As John Pironti wrote in the November 2015 ISACA newsletter, “Present information that the organization really wants. Instead of assuming what business leaders and stakeholders want to know about information risk and security, ask them.”

Having the right tools will facilitate this process, but it may take time to find the best fit for your enterprise and board of directors.

View the infographic: Insights from the 2014 CISO Assessment

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.