Two great pieces on cybersecurity and business risk

I want to start with a review of Security & Risk: How to Talk Digital Risk with The Board. It was written and published by the security software firm, RSA, based on research by Gartner.

The article starts well with this:

The conversation around risk … should not be a negative experience. Understanding uncertainty – both possible positive outcomes and potential negative events – provides clarity in decision making. While there may be major trepidation entering a board meeting to discuss risk, the dialogue is fundamental to survival in today’s market. Fear of obstacles and challenges cannot stop organizations from growing. As strategies are built from top down, risk information presented to boards and executive teams will have a direct impact on a company’s success in seizing opportunities in the market and driving future investment.

It is encouraging to see statements like this from a software vendor. Rather than the normal view that risk exists to be managed or mitigated, this paragraph recognizes the need to take risk if you are to succeed. The difficulty lies in making informed and intelligent decisions about how much to invest in cyber rather than in other risk management activities or opportunities. Cyber defense has the potential to cripple a business if overdone!

The Gartner research has three findings. The first is obvious (that directors have a high level of interest and concern), and the others are:

• Board confidence in the organization’s ability to prevent and respond to incidents is low, with only a minority of boards expressing confidence in such abilities — a key deficiency that results in limited support.
• Security and risk management leaders often struggle to respond to board questions that are shaped by media reports and compliance concerns, leading to a cultural disconnect and breakdown of trust between business leaders and technology leaders.

These points are clarified further:

Although interest in risk management has grown, only 37% of board respondents feel confident or very confident that their company is properly secured against a cyberattack, compared to 42% last year. A slightly higher percentage (49%) is confident or very confident in the ability of management to address cyber risk. But more than one-fifth of directors (22%) expressed dissatisfaction with the quality of cyber-risk information provided to the board by management.

Do we have too little, too much, or is it just right? (It is also important to ask whether it is it right for today, but not tomorrow since needs change at the speed of the business.)

The piece has some other good points. For example, it says:

SRM leaders need to be able to give the board something that they care about and that is meaningful to them. But the confusion that results from the wider discourse around technology — including exaggerated, incomplete or contradictory public information — leads to asking the wrong questions, which the board nevertheless asks, over and over. These include: How secure are we? Why do we need more money for security, when we just approved X last year? What do you mean we got hacked a hundred times?

These questions distract from the most relevant aspects of the risk management discussion. Security and risk management leaders should orient their interactions with the board to ensure that the organization’s leadership has the right understanding to support the overall security practice.

Comment: that “right understanding” is not just to “support the overall security practice”, but to make the informed and intelligent business decisions necessary for success of the enterprise. Sometimes, that means taking more cyber risk than the CISO is comfortable with. Let me emphasize that: sometimes, the right business decision is to take more cyber risk than the CISO is comfortable with.

XX

The problem is, in my opinion, that information security practitioners think and therefore report to management and the board as techies and not as business people.

They are sharing what they want to say, rather than what executives and directors need to know so they can make intelligent and informed business decisions.

As the paper says:

Communicating to the board should begin with an awareness of the audience: Who are the individuals on the board? What is their background? What role do they serve on the board — including any responsibility or background in cybersecurity?

Beyond individual passions and concerns, boards collectively usually care about three things:

• Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives
• Cost: Future cost avoidance and immediate decrease in operating expenses
• Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation

Board members expect their leaders to interpret topic-specific information into its broader business impact. Security and risk management is one of these topics.

As with many publications, the authors now leave the real world of informed risk-taking and re-enter the doomsday world of trying to manage and mitigate risk – managing risk as if there were no upside. So while I encourage you to read the full paper, I leave it here.

XX

The second piece is from CSO magazine: How to make your security team more business savvy. The article is built around an interview with Myrna Soto, the former CISO at Comcast and now the chief strategy and trust officer at cybersecurity software firm, Forcepoint.

Her approach is somewhat similar to what I and others adopted as CAE: place the team among the business folk, close to their operations, so they can not only understand the business but make sure they are adding value to it.

The article says:

Myrna Soto has witnessed throughout her career the significant impact that business-minded security professionals can have on security success, so much so that she created a new position — the business information security officer (BISO) — during her tenure as global CISO with Comcast.

These BISOs cultivated relationships with business unit leaders to better understand the processes, transactions, initiatives and objectives that made their departments — and the company as a whole — tick.

The BISOs had to be more than technically astute and security minded to do well in their roles, and they had to be more than good communicators and fast learners. They had to understand business terms and principles, too.

To make sure they did, Soto embedded them within the business units for tours of duty and found other ways to sharpen their business acumen.

“If we did nothing other than that, we still would have gotten a tremendous value because that really opened those security professionals’ eyes to business needs and perspectives,” Soto says.

XX

If the CISO doesn’t have a deep understanding of the business:

1. The CISO almost certainly doesn’t understand how a breach would affect the business. The tendency will be to exaggerate it.
2. The CISO also won’t be able to justify any additional spending on cyber because while he or she is talking techno, the people he or she wants to persuade are talking business.
3. The organization is unlikely to choose the best bed, the right balance of cyber and risk-taking for success.

Some will say that the business executives and the board members should learn cyber and risk. To that I respond that while they may have a high-level understanding, they should be able (with sensible questioning) to rely on their technical experts in running the business in partnership (and lots of dialogue) with business leaders.

What do you think? I welcome your comments.

Advertisement