Way back in January of 2020, before the world knew what was in store for it with a global pandemic and resulting non-voluntary digital transformation, I wrote an article called “The CxO Business Executive and Security Leadership’s Guide to Cyber Security Harmony.” I wanted to explore common points of friction between business executives and CISOs (Chief Information Security Officers) and create a playbook to enhance communication and transparency between leaders.
In the last couple of months, this topic resurfaced with different variations in multiple conversations.
Ultimately, all these conversations come down to the important topic of how cybersecurity leaders and professionals engage with senior leadership, boards, and audit committees; and how they engage back.
As a re-read my article and guidance from 2020, I found that much of it is still very relevant. Some leaders and companies have made some good progress, but many of the current major issues and challenges stem from this topic. With that said, I’ve refreshed the article with some new data, observations, and recommendations. Most importantly, I refocused from misconceptions and pain points between business executives and CISOs to more proactive recommendations on how both can up their game and be more aligned toward results. I’ve also included a starter set of discussions and key measurement topics to drive transparency and partnership.
Business Executive’s Top 5 Focal Points for Cybersecurity Empowerment
The CEO and executive leadership team at all companies play a critical role in managing cybersecurity risk whether they know it or not. While the CISO (or senior-most information security leader) and IT play an important role in implementing the right technology, programs, & processes, business executives are foundational to the culture required to help the organization manage cyber risk. Here are my top 5 elements that business leaders should embrace and own:
Top 5 Actions (Business Executive) |
Reinforcing Stats and Quotes |
1. Helping to drive awareness, behavior, and culture change: Most cyberattacks begin with the deception of a human. IT or security sending out phishing messages isn’t enough. The most successful workforce engagement programs I’ve seen in cyber have had strong business executive engagement and action, including sharing real stories of impact and personal experiences with these topics. One of the best turn-around stories I’ve experienced was an HR leader using humility to talk about being tricked by a phish in an all-employee town hall and how it changed his mind set and upped his vigilance. |
“85% of data breaches were due to the ‘human element’ “ - 2021 Data Breach Investigations Report, Verizon “43% of employees are ‘very’ or ‘pretty’ certain they have made a mistake at work with security repercussions” - The Psychology of Human Error, Tessian |
2. Understanding what matters most within your business area: The business leaders that can articulate what information/data, business processes, third parties, and IT systems are most critical to their area will be more successful because they can focus on what matters most first. Being able to articulate top priorities based upon business risk can help your cybersecurity team focus, but also help you shore up business processes that rely on the workforce to protect sensitive information. |
“The average healthcare worker has access to 31,000 sensitive files on their first day of work, including HIPPA-protected information, and nearly 20% of all files are open to every employee” (2021 Data Risk Report: Healthcare, Pharmaceutical & Biotech, Varonis) “63% C-Suite executives report their employees have left confidential documents out in the open” (Data Protection Report 2020, Shred-it) |
3. Owning business continuity planning (BCP): Business continuity planning is largely misunderstood in many organizations. When IT is driving BCP, it rarely works well because a business continuity plan should be a specific plan for how a department, division, or company can work if normal operations are impacted (including but not limited to all IT systems being unavailable due to something like ransomware). Business leadership should have a clear line of sight and ownership of their plans for continuing if critical systems, facilities, third parties, or groups of people are unavailable for a short or extended period of time. Ransomware has been a perfect example of this, especially in healthcare. Many affected hospitals had to revive legacy paper medical charting and find legacy equipment that didn’t rely on connectivity to stay operational. For some hospitals, patients were diverted to other facilities for extended periods of time. |
“A 2020 survey found that 51% of companies across the globe don’t have a business continuity plan” - Mercer via Economic Times
|
4. Preparing and rehearsing cyber incident response: Preparing and practicing for a cyber-attack and related response efforts shouldn’t be limited to technical exercises. I have long said that no company can eliminate the risk of a cyberattack occurring, so practicing and getting better at how such a crisis will be managed is the only thing that you can ensure. If you are not getting involved at this level, I would recommend that you discuss options for getting involved and be more prepared before the real crisis begins. |
In a study by Ponemon Institute, “77% of respondents admit that they do not have a formal cyber security incident response plan (CSIRP) applied consistently across their organization”
|
5. Engaging in information security risk governance: Companies that have maturing cybersecurity programs initiate a cross-functional forum to manage cyber risk for the company. I’ve seen this work as a stand-alone forum or as a regular part of broader risk committees. All the topics above must come together with additional context from the CISO information security team around the information security program, progress, and maturity with context around the emerging threat landscape for the company. |
“Consider having a separate committee for cybersecurity. 'One-hundred percent of Fortune 500 companies told the [US Securities and Exchange Commission (SEC)] that cybersecurity is a risk,’ she said. ‘And 70 percent have cyber risk in the audit committee. Does the audit committee have the bandwidth for this?” – NACD BOARDTALK |
CISO’s Top 5 Focal Points for Cybersecurity Empowerment:
The CISO (or senior-most cybersecurity leader) has a critical but challenging role. Over time, the role has migrated out of the guts of IT infrastructure departments to the CIO lead team (in many cases), to the CEO’s lead team (in some cases). Regardless of reporting structure within your company, it is critical that CISOs navigate the full suite of executive leadership, establish effective governance, and enlist action from business executives. Here are my top five recommendations to help CISOs accomplish this:
Top 5 Actions (Business Executive) |
Reinforcing Statistics |
1. Operate beyond the technical: Many CISOs emerged from IT technical roles (although this isn’t as universal as it used to be). While technology and technical acumen are important for the CISO role, the senior leaders of cybersecurity programs need to operate at higher levels to achieve results beyond building and running technical toolsets. Why? – because technology alone has yet to eliminate cybersecurity risk. A significant part of the CISO role is managing cyber risk for the entire organization, not just IT. |
“The most critical language to understand and speak well is simply the language of business. It allows you to be heard and respected when talking to your board and your senior executives. You need to be able to communicate things like revenue streams, risk management, what’s going on in all of your business units, and how security impacts all of it. Learning this language even more deeply involves becoming fluent in the different functional areas of your business—including HR, finance, sales, and marketing.” – Ed Harris, Security Round Table |
2. Help business leaders determine what is most critical within each of their functions: It is easy for CISOs to feel like they are trying to “boil the ocean.” Too many tools, projects, threats, and risks can quickly turn into a recipe for ineffective results. Using business risk and context (bridging data classification, business continuity by function) can help hone the priorities and starting points to enable more focused results. |
“Crown jewels may often represent just 2% of your business, but they may dominate 70-80% of your brand value” – Cyber Management Alliance |
3. Improve cyber program and risk measures (KPIs and KRIs) that communicate a meaningful story that resonates with leadership at the right levels. Oftentimes, cyber program metrics get overly tool and technology focused. A hard count of vulnerabilities without the context of risk, mitigation, and impact is typically not helpful to produce. |
“Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” |
4. Maintain effective cross-functional governance for cyber risk and data protection – Senior leadership engagement and action will not happen without a little help. The key areas from the Business Executive’s Top 5 above can be brought to life through cross-functional governance with the support of executive sponsorship (ideally the CEO). It is easy for executives to claim support for cybersecurity but not put their weight behind helping. Bringing the right topics, actions, and accountability into the light through governance is critical to the success of any program at any level. |
“Security leaders are under a lot of pressure to show quick wins while knowing full well that everything they do will be heavily scrutinized and challenged, and ultimately, they will pay the price for things that are not under their control.” — Yaron Levi, CISO, Blue Cross and Blue Shield of Kansas City, at SecureWorld Kansas City |
5. Enable the full workforce as an integral component of cyber defense – Many cyber program leaders feel content sending monthly ethical phishing tests and sporadic commodity online training as a checkbox to workforce cyber awareness. While there are some great tools to automate these tasks, these efforts will not change the culture and drive engagement. Developing and maintaining an ongoing cybersecurity behavior and culture change effort is critical, as is senior leadership engagement. The CISO must garner the right support to activate the full power of the organization’s workforce. |
“The people domain was the weakest of the 3 domains analyzed (people, process, technology) according in the 2021 Hiscox cyber maturity model, yet funding for training decreased 8%” - Hiscox Cyber Readiness Report 2021, Hiscox |
Business Executive and CISO Discussion Playbook
While this playbook is designed for the business executive to better engage in cybersecurity, it can be used by information security leaders to proactively engage with executive stakeholders and create engagement and transparency. Additionally, these are foundational building blocks for high-value KPIs and KRIs to support telling the story in measurable ways.
Leaders need to treat this discussion playbook truly as a guide vs a script. As with any important initiative, it cannot be a one-time discussion. Conversations should be dynamic, and people still need to use their analytical and conversational acumen to navigate. I firmly believe that if more company leaders were having this level of conversation and action, cyber security would be in a completely different state of control and transformation. Think about the big, publicized breaches and how many leaders were caught off guard, not in the right loop, and blamed specific people or things when the problems were truly holistic.
***
Do you have any other key questions or ways that you focus these leadership engagements? Feel free to leave a comment and this playbook will be updated as needed to maximize the value for all. Also, share your feedback if you found this helpful.
At Reveal Risk, we evaluate, design, and deliver strong programs, processes, and results in cybersecurity. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at info@revealrisk.com.