Way back in January of 2020, before the world knew what was in store for it with a global pandemic and resulting non-voluntary digital transformation, I wrote an article called “The CxO Business Executive and Security Leadership’s Guide to Cyber Security Harmony.” I wanted to explore common points of friction between business executives and CISOs (Chief Information Security Officers) and create a playbook to enhance communication and transparency between leaders.
In the last couple of months, this topic resurfaced with different variations in multiple conversations.
- Challenges building engagement and accountability for cybersecurity beyond IT (Whether cybersecurity reports to the CIO or not).
- The need to educate and proactively manage the Board of Directors discussion about cybersecurity – including comments that board directors are becoming better educated on cyber with more diverse skillsets represented.
- Difficulty showing the value of cybersecurity investments to executive and board leadership because collecting and articulating metrics is inconsistent – and the desire to shift from tactical/technical data to meaningful storytelling with business context.
- Using business risk to focus and prioritize time, staff, & investment in cybersecurity more strategically andbeing less reactive to “the flavor of the week.”.
Ultimately, all these conversations come down to the important topic of how cybersecurity leaders and professionals engage with senior leadership, boards, and audit committees; and how they engage back.
As a re-read my article and guidance from 2020, I found that much of it is still very relevant. Some leaders and companies have made some good progress, but many of the current major issues and challenges stem from this topic. With that said, I’ve refreshed the article with some new data, observations, and recommendations. Most importantly, I refocused from misconceptions and pain points between business executives and CISOs to more proactive recommendations on how both can up their game and be more aligned toward results. I’ve also included a starter set of discussions and key measurement topics to drive transparency and partnership.
Business Executive’s Top 5 Focal Points for Cybersecurity Empowerment
The CEO and executive leadership team at all companies play a critical role in managing cybersecurity risk whether they know it or not. While the CISO (or senior-most information security leader) and IT play an important role in implementing the right technology, programs, & processes, business executives are foundational to the culture required to help the organization manage cyber risk. Here are my top 5 elements that business leaders should embrace and own:
|Top 5 Actions (Business Executive)||Reinforcing Stats and Quotes|
|1. Helping to drive awareness, behavior, and culture change: Most cyberattacks begin with the deception of a human. IT or security sending out phishing messages isn’t enough. The most successful workforce engagement programs I’ve seen in cyber have had strong business executive engagement and action, including sharing real stories of impact and personal experiences with these topics. One of the best turn-around stories I’ve experienced was an HR leader using humility to talk about being tricked by a phish in an all-employee town hall and how it changed his mind set and upped his vigilance.||“85% of data breaches were due to the ‘human element’ “ – 2021 Data Breach Investigations Report, Verizon
“43% of employees are ‘very’ or ‘pretty’ certain they have made a mistake at work with security repercussions” – The Psychology of Human Error, Tessian
|2. Understanding what matters most within your business area: The business leaders that can articulate what information/data, business processes, third parties, and IT systems are most critical to their area will be more successful because they can focus on what matters most first. Being able to articulate top priorities based upon business risk can help your cybersecurity team focus, but also help you shore up business processes that rely on the workforce to protect sensitive information.||“The average healthcare worker has access to 31,000 sensitive files on their first day of work, including HIPPA-protected information, and nearly 20% of all files are open to every employee” (2021 Data Risk Report: Healthcare, Pharmaceutical & Biotech, Varonis)
“63% C-Suite executives report their employees have left confidential documents out in the open” (Data Protection Report 2020, Shred-it)
|3. Owning business continuity planning (BCP): Business continuity planning is largely misunderstood in many organizations. When IT is driving BCP, it rarely works well because a business continuity plan should be a specific plan for how a department, division, or company can work if normal operations are impacted (including but not limited to all IT systems being unavailable due to something like ransomware). Business leadership should have a clear line of sight and ownership of their plans for continuing if critical systems, facilities, third parties, or groups of people are unavailable for a short or extended period of time. Ransomware has been a perfect example of this, especially in healthcare. Many affected hospitals had to revive legacy paper medical charting and find legacy equipment that didn’t rely on connectivity to stay operational. For some hospitals, patients were diverted to other facilities for extended periods of time.||“A 2020 survey found that 51% of companies across the globe don’t have a business continuity plan” – Mercer via Economic Times
|4. Preparing and rehearsing cyber incident response: Preparing and practicing for a cyber-attack and related response efforts shouldn’t be limited to technical exercises. I have long said that no company can eliminate the risk of a cyberattack occurring, so practicing and getting better at how such a crisis will be managed is the only thing that you can ensure. If you are not getting involved at this level, I would recommend that you discuss options for getting involved and be more prepared before the real crisis begins.||In a study by Ponemon Institute, “77% of respondents admit that they do not have a formal cyber security incident response plan (CSIRP) applied consistently across their organization”
5. Engaging in information security risk governance:Companies that have maturing cybersecurity programs initiate a cross-functional forum to manage cyber risk for the company. I’ve seen this work as a stand-alone forum or as a regular part of broader risk committees. All the topics above must come together with additional context from the CISO information security team around the information security program, progress, and maturity with context around the emerging threat landscape for the company.
|“Consider having a separate committee for cybersecurity. ‘One-hundred percent of Fortune 500 companies told the [US Securities and Exchange Commission (SEC)] that cybersecurity is a risk,’ she said. ‘And 70 percent have cyber risk in the audit committee. Does the audit committee have the bandwidth for this?” – NACD BOARDTALK|
CISO’s Top 5 Focal Points for Cybersecurity Empowerment:
The CISO (or senior-most cybersecurity leader) has a critical but challenging role. Over time, the role has migrated out of the guts of IT infrastructure departments to the CIO lead team (in many cases), to the CEO’s lead team (in some cases). Regardless of reporting structure within your company, it is critical that CISOs navigate the full suite of executive leadership, establish effective governance, and enlist action from business executives. Here are my top five recommendations to help CISOs accomplish this:
|Top 5 Actions (Business Executive)||Reinforcing Statistics|
|1. Operate beyond the technical: Many CISOs emerged from IT technical roles (although this isn’t as universal as it used to be). While technology and technical acumen are important for the CISO role, the senior leaders of cybersecurity programs need to operate at higher levels to achieve results beyond building and running technical toolsets. Why? – because technology alone has yet to eliminate cybersecurity risk. A significant part of the CISO role is managing cyber risk for the entire organization, not just IT.||“The most critical language to understand and speak well is simply the language of business. It allows you to be heard and respected when talking to your board and your senior executives. You need to be able to communicate things like revenue streams, risk management, what’s going on in all of your business units, and how security impacts all of it. Learning this language even more deeply involves becoming fluent in the different functional areas of your business—including HR, finance, sales, and marketing.” – Ed Harris, Security Round Table|
|2. Help business leaders determine what is most critical within each of their functions: It is easy for CISOs to feel like they are trying to “boil the ocean.” Too many tools, projects, threats, and risks can quickly turn into a recipe for ineffective results. Using business risk and context (bridging data classification, business continuity by function) can help hone the priorities and starting points to enable more focused results.||“Crown jewels may often represent just 2% of your business, but they may dominate 70-80% of your brand value” – Cyber Management Alliance|
|3. Improve cyber program and risk measures (KPIs and KRIs) that communicate a meaningful story that resonates with leadership at the right levels. Oftentimes, cyber program metrics get overly tool and technology focused. A hard count of vulnerabilities without the context of risk, mitigation, and impact is typically not helpful to produce.||“Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.”
– H. James Harrington (author or Business Process Improvement)
|4. Maintain effective cross-functional governance for cyber risk and data protection – Senior leadership engagement and action will not happen without a little help. The key areas from the Business Executive’s Top 5 above can be brought to life through cross-functional governance with the support of executive sponsorship (ideally the CEO). It is easy for executives to claim support for cybersecurity but not put their weight behind helping. Bringing the right topics, actions, and accountability into the light through governance is critical to the success of any program at any level.||“Security leaders are under a lot of pressure to show quick wins while knowing full well that everything they do will be heavily scrutinized and challenged, and ultimately, they will pay the price for things that are not under their control.” — Yaron Levi, CISO, Blue Cross and Blue Shield of Kansas City, at SecureWorld Kansas City|
|5. Enable the full workforce as an integral component of cyber defense – Many cyber program leaders feel content sending monthly ethical phishing tests and sporadic commodity online training as a checkbox to workforce cyber awareness. While there are some great tools to automate these tasks, these efforts will not change the culture and drive engagement. Developing and maintaining an ongoing cybersecurity behavior and culture change effort is critical, as is senior leadership engagement. The CISO must garner the right support to activate the full power of the organization’s workforce.||“The people domain was the weakest of the 3 domains analyzed (people, process, technology) according in the 2021 Hiscox cyber maturity model, yet funding for training decreased 8%” – Hiscox Cyber Readiness Report 2021, Hiscox|
Business Executive and CISO Discussion Playbook
While this playbook is designed for the business executive to better engage in cybersecurity, it can be used by information security leaders to proactively engage with executive stakeholders and create engagement and transparency. Additionally, these are foundational building blocks for high-value KPIs and KRIs to support telling the story in measurable ways.
- BUSINESS RISK: What are the most critical risks to our specific business and operations?
- Where could we see maximum damage and business impact if our company was faced with a cyber security event or if an insider acted maliciously?
- Do our organizational and functional leaders know what is most critical and where they need to be focused?
- Does the information security team need any help or insights in ratifying the top business risks that the executive leadership team can help drive focus?
- Have we evaluated cyber risk in the context of broader enterprise risks?
- THREAT LANDSCAPE: What are the most concerning threats that we are seeing right now? (Note: You want to focus on the current state and slightly into the future because there is no crystal ball in cyber.)
- Has the threat landscape changed since our last discussion?
- Is our current program focus still aligned to the threat landscape?
- Are there any changes we need to make adjustments for or intentionally NOT react to?
- How do our top business risks correlate to the top threats we face?
- CURRENT STATE MATURITY: Where are we right now in our IS (Information Security) program maturity journey?
- How do/will we link maturity measurements to business risk reduction to ensure optimized focus? How do we get to the appropriate scale with our solutions?
- How did we evaluate our current maturity? (Against a framework? Using an independent external party or internal team? If an internal team, how did you mitigate internal bias?)
- FUTURE STATE MATURITY: What are we striving to achieve in our IS program journey over time?
- How will this future state target reduce critical business risks?
- What are the major milestones and outcomes we are targeting? (push your cyber program beyond tools and technologies toward business risk reduction)
- How are you splitting your focus and the focus of your team across people, process, and technology efforts?
- What organizational roadblocks (beyond IS and IT) do you see now or in the future? And how can the executive leadership team help?
- MEASUREMENT OVER TIME: How will we measure progress towards our goals of getting from our current state to our desired future state outcomes?
- How do we interactively track our progress against goals instead of relying on an occasional external review?
- How will we ensure consistent measurement of progress over time, across various leaders, and through changing organizational structures?
- What scorecard and metrics (Key Performance Indicators/KPIs & Key Risk Indicators /KRIs) do we need to garner executive lead team and board support for the program to the greatest extent possible?
- INTERNAL PARTNERING: How are we partnering across cyber security, physical security, IT, legal, compliance, and privacy for efficiency and risk coverage?
- What partner organizational roadblocks or points of friction exist (beyond IS and IT) now or in the near future and how can the executive team help?
- How could we increase efficiency amongst these teams for both the benefit of the functions themselves as well as the organizations they support?
- What governance structure or leadership sponsorship could enable this?
- EXTERNAL PARTNERING: How is the cyber security team connected to cross-company sharing groups or individual relationships?
- Is your team part of any external information exchange forums? (E.g. ISAC – Information Sharing Analysis Center)
- Can the executive leadership team make any introductions to company leaders that they are connected with or are board members of?
- Is your organization growing its skillset enough to evolve in this space? (e.g. the right time, focus, funding to enable)
- CISO’S BIGGEST CONCERNS: What most concerns you about the current state of cyber security at our company? (Sometimes this is phrased as “what keeps you up at night?”)
- What top concerns or risks do you feel are not getting the right visibility or attention?
- If you could wave a magic wand – what would you want to fix most?
- Is there anything that we could change to alleviate this concern, influence change, or expedite progress towards resolving your top concerns?
- EXECUTIVE SUPPORT: What help do you need from the company and executive team? (financial, organizational change/sponsorship, governance, making decisions)
- What can the executive leadership team do to help you and your team?
- Where can our executives recognize the great efforts of your team? (only where doing so will truly motivate your team)
- Is there anything that the executive leadership team is doing that creates a barrier to your progress?
- Workforce Awareness and Engagement: How is the organization engaging around information security and what is cultural maturity?
- What are the most critical workforce awareness and behavior change needs across the organization that would minimize security risk?
- Are there any specific groups of workforce members or key roles/personas that we have a need for special additional focus on because of risk?
- What workforce-related interventions are currently planned or planned for the near future to minimize our risk?
- How do we measure the engagement and organizational change around critical security needs, behaviors, and goals – connected to critical business impacts?
Leaders need to treat this discussion playbook truly as a guide vs a script. As with any important initiative, it cannot be a one-time discussion. Conversations should be dynamic, and people still need to use their analytical and conversational acumen to navigate. I firmly believe that if more company leaders were having this level of conversation and action, cyber security would be in a completely different state of control and transformation. Think about the big, publicized breaches and how many leaders were caught off guard, not in the right loop, and blamed specific people or things when the problems were truly holistic.
Do you have any other key questions or ways that you focus these leadership engagements? Feel free to leave a comment and this playbook will be updated as needed to maximize the value for all. Also, share your feedback if you found this helpful.
At Reveal Risk, we evaluate, design, and deliver strong programs, processes, and results in cybersecurity. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at firstname.lastname@example.org.
Learn more about our story here!