I wanna see you be brave
Today, many organizations’ executive teams and boards of directors conflate cybersecurity and risk. Risk management is a broader practice than security alone, but cybersecurity is an increasingly “big ticket item” on boards’ agendas—alongside other more traditional risk discussions—since it’s clear that a major breach can impact the organization in meaningful ways. The concept of risk is newer to security than it is to market expansion, product development, finance, operations, and so on, because cybersecurity, itself, is newer. It is no less important, however, and boards are keen to quantify cyber risk just as they’ve been for other areas of business for decades.
Despite this, security teams themselves struggle to accurately define security in risk terms. The fact is, a great security practitioner may not be a great risk practitioner (or a risk practitioner at all), and therein lies the rub. Security is being tasked with adopting an additional discipline without much help or guidance from the organization. While security practitioners can—and should—take personal steps towards becoming more fluent in risk, it’s also important for security teams to (first) understand and (then be able to) communicate to boards the key elements of security risk. Not all risk is created equal, and because executives and boards are not comfortable with security as a discipline, security must step up to the plate.
You can be amazing you can turn a phrase into a weapon or a drug
Yes, it’s been said a thousand times: security must start speaking the language of the business and stop focusing on technical details that the board can neither understand nor use. Security practitioners need to mature in this area, but in doing so cannot forget that security is a technical business. When it comes to security risk management, the underlying technology is extremely important. Not so important that CISOs should begin explaining to the board the ins and outs of log analysis, but it’s the underlying technology that informs business decisions: What types of sensitive data does your company maintain? Where does it reside? Is the technology supporting that data up to date? Which systems and applications are integrated with third parties, and are you able to assess the security of those third-party relationships?
The answers to these types of questions (and more) are the basis of information security risk management. Security teams must help educate the board about what cybersecurity risk is and what it isn’t. Jack Jones, risk management expert and Co-founder and EVP of Research and Development at RiskLens, says that the #1 question asked of the security team by the board is, “How secure are we compared to other organizations?” Even if a CISO (or equivalent) could accurately and realistically measure this, the real question is: Why does that matter? There are no prizes in security for being better than the last company that lost one million customer records, or worse than the company that lost just twenty. Security risk management isn’t a scorecard ranking and it certainly isn’t a checklist; it’s an understanding of the organization’s individual vulnerabilities and specific threat landscape, and the ability to use that information to incrementally lessen the likelihood of a security incident through continuous improvement of sound technology processes and controls.
New threats and vulnerabilities will constantly be added to the equation, so achieving a “zero probability” is unrealistic. The goal of security risk management shouldn’t be to “win” anyhow, despite common industry nomenclature. Executives and boards are used to dealing with “complex and dynamic challenges in other disciplines every day,” says Jones, so security teams can feel comfortable knowing that, even if the discipline is different and unfamiliar, the concept isn’t.
You can be the outcast or be the backlash
Boards may not yet be intimately familiar with the specificity of running a highly effective information security team. They may never be; they may never need to be. That’s the job of the security team, after all. What boards and executives really want to know is what bullets they have to dodge, what boulders they have to clear from the path, and how likely it is that unexpected obstacles will appear and impede progress. Every major business decision creates some level of risk. Executives are familiar and comfortable (to varying degrees) with risk, and so too must security teams be. Learning more about risk management is an important step in aligning with the business. Without a profound understanding of what constitutes security risk, security can’t educate the board on what constitutes security risk. Without a profound understanding of what constitutes security risk, security can’t communicate to the board what it really needs to know to run the business. And that’s the name of the game: providing the board with necessary and relevant information upon which it can base strategic organizational decisions.
Or you can start speaking up
What the board really wants to know about security and risk is: what do we have to know to move forward with the least friction and fewest obstacles? When obstacles get in our way, how quickly and with how little damage can we return to normal? Cybersecurity risk is a big part of this, and thus security teams must set the foundations for gathering relevant information and learning how to clearly and effectively—in business terms—communicate cyber risk. Boards often know what they don’t know and are relying on security executives to be the experts. Be that conduit, and guide questions to the appropriate place when they are off track. Provide accurate and actionable risk information and security becomes a trusted business advisor and influencer. As a “big ticket item” on board agendas, security can either contribute to overall business growth or remain a cost center. Low security risk is a competitive business advantage; help your board of directors understand how your security team is making that happen.