Cybersecurity Metrics, Litigation Risks, and 10 Critical People Skills for CISOs – BSW #260

In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. This conversation is about resetting executive engagement, putting a business context around security, and literally how we invest in security. You should not assume that your board members have the right information to make business decisions about cybersecurity investment just because they are nodding and smiling as you speak to the business importance of cybersecurity .

Here are 5 examples of cybersecurity value deliver metrics you should give to your board: 1. Time to Remediate Incidents: What is your average time (in hours) between incident ticket generation and ticket close for “critical & high priority” security incidents? 2. OS Patching Cadence (Standard): What is your average time (in days) to apply critical operating system patches within your standard patch process? 3. Risky 3rd Parties Engaged: What percentage of known third parties with poor security assessment results have been engaged by the organization? 4. Phishing Reporting Rates: What is your percentage of people who report suspicious emails for your standard organization-wide phishing campaigns? 5. Recovery Testing – Core Systems: What is your percentage of core systems supporting critical business/mission functions that have successfully completed full recovery testing in the last 12 months

Cybersecurity and data protection are expected to become top drivers of legal disputes. What litigation risks should CISOs be most concerned about and what can they do about it? 1. Data breaches draw lawsuits 2. CISOs under fire 3. Loss of trade secrets and reputational damage 4. Regulations and requirements

The Proposed Rules provide clues as to the type of material cybersecurity incidents and risks that may warrant disclosure, including: - Incidents violating a company’s security policies or procedures, or that expose a company to liability; - Incidents affecting a company’s reputation, products, or services, including decreases or delays in production; - Incidents affecting a company’s financial position, either directly or indirectly, through adverse costs such as payments for ransom or extortion demands, fees for remediation or increased cybersecurity protection, lost revenue, or any damage to the company’s competitiveness; - Incidents disturbing a company’s relationship with either its customers or suppliers through the accidental exposure or access to customer data, deliberate attacks to seal, sell, or alter data, and compromises to the confidentiality, integrity, or availability of such information; - Incidents affecting a company’s operations including unauthorized access to, damage to, interruption or loss of control over business information or systems; and - Individually immaterial incidents that are material in the aggregate, meaning that a number of smaller but continuous cybersecurity breaches may, in fact, be subject to disclosure.

The proposed SEC rules for boardroom cyber expertise follow the approach taken by the SEC 20 years ago with financial expertise. Instead of focusing on job titles, expertise is about the depth of experience, competencies and formal education on these issues. The proposed SEC rules suggest that expertise be determined by: - Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager or business continuity planner; - Whether the director has obtained a certification or degree in cybersecurity; and - Whether the director has knowledge, skills or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling or business continuity planning.

Here are 10 of those softer skills that technology leaders need: 1. Communication skills 2. An ability to tell stories 3. Empathy 4. Curiosity 5. Ability to promote collaboration 6. Ability to build trust 7. Vulnerability 8. Ability to promote inclusion 9. Future-thinking 10. Ability to motivate people