The responsibilities of top security executives are evolving constantly as most employees now work remotely, creating new opportunities for cyberattacks and disruption. In these tense times, strong communication skills are important for security leaders, especially for those protecting critical infrastructure. While businesses adapt to this new dispersed working environment, CISOs must maintain constant communication with the board to ensure that top management understands the importance of security.
Here are five security points for CISOs to communicate:
- Encourage ongoing conversations about risk. CISOs have to explain and quantify any potential risk to the business. If a risk does not get discussed at the board level, the line-of-business managers may assume that it’s accepted, and this can have an adverse impact on a business. CISOs must lead ongoing conversations with the board to translate the impact of cyber risk to overall business risk. It’s a necessity for business continuity, integration and to limit operational disruption. The board also must have full visibility of the complexities of these risks, and CISOs need to quantify them in terms of tangible impact, such as lost revenue, downtime or reputation damage.
- Point out the unique risk profiles of different networks. At a more granular level, CISOs need to address that each part of an organization’s structure and network has different risk profiles. Over the last three to five years, the increasing acceptance of digital transformation projects has meant that there are new attack vectors targeting traditionally isolated parts of a network. Because of this increased connectivity, there are certain areas within an organization (OT networks with legacy systems) that are becoming more of a focus and they may be less secure than others. It’s the CISO’s job to educate the board on the inequalities present between each part of an organization’s network infrastructure and attach a risk profile to it. For example, a CISO may deliver updates on the security of a business’s manufacturing facilities, physical building or traditional IT infrastructure – and each of these segments will have different components of risk. The intricacies of these risk profiles must get explained to the board with recommended actions of how to address each risk.
- Explain the business impacts of breaches. Board members need to understand the impact of breach scenarios so they understand the risks. Let’s face it, many board members do not have a background in technology or security – they are largely finance professionals, so it’s important to translate technical cyberspeak into clear business impacts. Most companies run their infrastructure on a few different cloud providers, not to mention the explosion of SaaS applications in many cases deployed without the knowledge of IT. Security pros need to ensure visibility across the company’s infrastructure and have proper security configurations in place. The security team has to determine the most critical assets and disaster recovery plans. If a cloud provider malfunctions, it could mean that internal HR tools, or other essential services could go down. Business executives will understand these consequences. The same goes for manufacturing facilities. If an adversary manipulated the operations of the OT components in manufacturing or an energy company, this could sabotage operations and/or give better intelligence to competitors. Downtime also costs money and productivity. The bottom line for CISOs: They have to explain the real, tangible business impacts.
- Educate members about industry incidents and benchmarks. CISOs need to educate the board on what’s going on with competitors in the industry from a threat actor perspective and in the industry in general and explain the possible impact. For example, when NotPetya accidently spilled over into many production environments, it was clear that manufacturing companies needed to seriously examine their IT/OT segmentation and vulnerabilities. CISOs also need to deliver significant benchmarks. These can include looking at security budgets, security personnel, publicly disclosed incidents, and financial impacts of those incidents. There are all kinds of KPIs that are public knowledge, which let CISOs measure the effectiveness of their KPIs against their peers. CISOs can use them to educate the board and demonstrate where they are in comparison to industry averages as way to drive budgets and agendas. Board members need this external data to validate their decisions and to see where their business stands.
- Show how digital transformation creates positive change. Finally, during the COVID-19 period, the businesses that fared well adapted quickly. Although COVID was an extreme event, it revealed gaps and exposed the unpreparedness of some businesses. Companies that proactively embraced digital transformation projects to optimize security were much more flexible and operational than teams that maintained the traditional business processes. Disruption can and will present itself in the most inopportune times, so businesses must prepare for future challenges.
Digital transformation projects will give companies a competitive edge and deliver better business results, whether its gaining data analytics or connecting different systems within an organization. Those benefits are best protected when companies integrate cybersecurity into their digital transformation changes and processes. If a board approaches digital initiatives proactively, discusses security as a vital part of business and collaborates with its technology leaders, it will gain a competitive advantage both in times of normalcy and in times of disruption.
Galina Antova, co-founder and chief business development officer, Claroty