Board directors have very little patience for technical jargon. Given the tremendous pressure executives are under to avoid headline-grabbing data breaches, CISO reports should align enterprise risks with their potential impacts on business objectives in terms that nontechnical board members can easily understand.
An EY report titled “The Evolving Role of the Board in Cybersecurity Risk Oversight” stated that board directors “seek assurances from management that their cyber risk management programs will reduce the risk of attacks and, when necessary, will detect, respond and recover from any attack that does happen.”
In a speech at the Public Company Accounting Oversight Board International Institute on Audit Regulation, U.S. Treasury Deputy Secretary Sarah Bloom Raskin remarked that quality reporting on cyber risks should empower directors and officers to “ask the right questions, hold their teams accountable and consider the relevant trade-offs before making decisions about their organizations’ cybersecurity strategy.”
Directors are also on the hook when it comes to ensuring that cyber risks are appropriately disclosed. In a speech to the Economic Club of New York, Securities and Exchange Commission (SEC) Chairman Jay Clayton stated, “Public companies have a clear obligation to disclose material information about cyber risks and cyber events.” He further cautioned that “being a victim of a cyber penetration is not, in itself, an excuse.”
What Data Do Directors Want?
According to an NYSE report, directors want “better access to key metrics on company performance, health, areas of risk and potential opportunities, all provided closer to real time and in a quickly digestible, visually appealing format.”
Similarly, the EY report found that a key challenge was “obtaining relevant, objective and reliable information, presented in business-centric terms.” The report also noted that the lack of such data affected “board members’ ability to understand the risks facing their organizations and evaluate management’s response to these risks.”
Directors are under pressure to ensure that they are dutifully discharging their duties of care and due diligence. In fact, the SEC’s code of ethics requires directors and officers to make “full, fair, accurate, timely and understandable disclosure in reports and documents that a registrant files with, or submits to, the Commission and in other public communications made by the registrant.”
Communicating Cyber Risks to Business Executives
In 2017, it is simply unacceptable for a chief information security officer (CISO) to fail to provide quality reporting of cybersecurity metrics to the organization’s directors and officers. Given the pressure boards and executives are facing, CISOs must address the need to improve their reporting and provide quality data that brings value and clarity to help boards make cyber risk decisions. What should be in those CISO reports?
According to a letter from the California Public Employees’ Retirement System to the secretary of the SEC, disclosures must be “meaningful, understandable, timely, comparable and consistent to enable open and honest dialogue and informed decision making.” Furthermore, health care analytics firm HealthCatalyst noted that a decision support tool should deliver data that is accessible, reliable, relevant, timely and includes trends and benchmarks.
Finally, business executives want dashboards that display performance of the cybersecurity function over time, hence the need for trend lines.
Listen to the podcast: If you can’t measure it, you can’t manage it
Four Key Characteristics of Effective CISO Reports
The visibility and frequency of security reporting has increased. As a result, it is more important than ever for CISO reports to possess the following four key traits to ensure that they contain valuable information that board directors and top leadership can use to make sound cybersecurity decisions for the business. CISOs should adapt these traits and supplement them with their own experience, as well as mentor and guide business leaders who use the data.
1. Appropriate and Relevant to Its Audience
The primary purpose of a CISO report is to convey information that is appropriate and relevant to its audience. This means avoiding techno-babble. The format, tone and context of your report must be tailored to the audience. CISOs should adopt a high-level view and focus on sharing data that is relevant to directors.
Have you ever seen a report that was chock-full of value but presented in a way that was dry, theoretical or condescending? If so, you probably had a hard time reading it. Is that the experience you want your directors to have? Remember to organize your content in a way that is approachable, even personal, such as telling a story or using a metaphor to illustrate a point.
Your CISO report should be engaging, not as in a theatrical performance, but in terms of connecting with the reader and, to some extent, providing educational value. Much like the first time you read a sentence in a foreign language, you might not get all the subtleties right away, but you get the gist of it, and future readings will help you develop your affinity for the subtext of communications.
2. Grounded in a Business Mindset
Forget about technology-focused metrics such as patching levels, time-to-patch, etc., and think about the kinds of metrics that help convey cybersecurity value in business terms. Look for ways to express the value of cybersecurity-related activities in terms of their ability to bring cyber risks into an acceptable range and to help the business meet its objectives and implement its strategy.
This is also an opportunity to address some larger organizational concerns, such as overall progress toward improved cyber resilience and integration with an enterprise risk management (ERM) model. CISOs should also address the progress made by management in implementing a culture of security; the nature of interactions between the board, CISO and staff; HR processes and business workflows that work well; and processes that impede improvements to the organization’s cybersecurity posture.
3. Contains Quality Data
Even the most appropriate, business-focused reports are of little value without quality data. CISOs should consider the accuracy and timeliness of their data and, where appropriate, organize it along a trend line to show areas of improvement or concern. They should also strive to balance the large amounts of backward-looking data with forward-looking projections or leading indicators, keeping in mind that leading indicators might be wrong and, if so, would need to be confirmed or disproved later on.
One of the key decisions that directors need to make is about the effectiveness of the controls already in place and those about to be deployed. How solid is the security plan that management has agreed on? Does it have the desired impact within the financial and time constraints, or are security projects running late and going over budget? Directors are also under pressure to ensure that the organization is thorough in its assessment and treatment of cyber risks. Are there any areas in which a cyber risk assessment hasn’t been performed or updated? What about internal threats? How are those handled, or at least monitored?
In more mature organizations, CISO reports should also cover the effectiveness of threat detection systems, the robustness of incident response plans and more advanced mechanisms for evaluating third-party provider risk.
4. Transparent About Weaknesses and Weak or Unverified Data
A key theme of CISO-board communications is transparency and trust. For most of the other risks they need to govern over, directors have a solid understanding of the weaknesses related to data. For example, they understand that currency markets can change rapidly due to factors at home or abroad, or even factors impacting a third country in which the currency has no presence. However, the same cannot be said about cyber risks.
It is critical for CISOs to be open, honest, and transparent about the strength and reliability of our cyber indicators and to share that metadata with directors. How do we know what we know? To what extent can we trust the readings? How often are we checking the reality on the ground to make sure the readings are correct? Think of an old car with a bad fuel gauge: Is the car undrivable because you couldn’t trust the readings? No — you adjust your interpretation of the readings knowing that they are reliable only within a certain range.
Listen to the podcast: If you can’t measure it, you can’t manage it
Additional Food for Thought
Below are a few additional resources to help security leaders deliver more informative and useful CISO reports to board directors.
In closing, the CISO of the future, according to KPMG’s “FTSE 350 Cyber Governance Health Check,” has been cast as “someone who can articulate a cybersecurity strategy in the context of the company’s business strategy — and someone who sees the cyberthreat as just one of a number of risks to be managed and mitigated.” Your CISO reports ought to reflect such business focus as well.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato