Cyber threats continue to evolve and become more widespread. These advanced attacks include everything from malware and phishing to artificial intelligence, ransomware and more, putting the assets of governments, organizations and individuals at risk.
The stakes are higher than ever for organizations today. For example, following the 2021 ransomware attack on Colonial Pipeline, the United States Department of Justice announcement that it would give cyberattacks the same investigative priority as conventional terrorism.
Yet while protecting against ransomware attacks and other cyber threats is clearly a strategic goal for today’s organizations, that goal is undermined by a persistent problem: the disconnect that occurs when CISOs attempt to report a risk. to their board of directors. This communication breakdown often leads to misunderstandings, unnecessary risks, and disastrous cyberattack results.
This is evident in many organizations around the world, as only 9% of security teams believe they are very effective at communicating security risks to the board and other C-suite executives, according to a recent Ponemon. Institute. survey.
CISOs desperately need a better way to articulate cybersecurity risks to their board of directors, not only to be able to do their jobs adequately, but to ensure the safety and security of their organization as a whole.
The disconnect between the CISOs and the board of directors
Due to a longstanding belief by boards and management that cybersecurity is a cost center and a “fire drill” operation rather than a business enabler, CISOs have no traditionally not received the resources or funding they need. Part of the problem is that security leaders often struggle to articulate the dangers of poor cybersecurity hygiene, using technical language that fails to properly describe business risk.
CISOs occupy a privileged position in terms of understanding risks. Yet few organizations are reaping the benefits of this perspective. A 2021 Ponemon Institute study showed that only 7% of CISOs report directly to their CEO. About 60% of CISOs “regularly brief” their board, which doesn’t sound too bad until you realize that almost half of this reporting takes place after a security breach.
Encouragingly, the percentage of board-level leaders who view cybersecurity as a direct business risk increased from 58% to 88% between 2016 and early 2022. However, serious gaps still exist in management structures. corporate reporting and board reporting procedures and the problem of effectively communicating risk to the business remains.
Again, the main challenge is explaining technical issues to a non-technical audience. Often, CISOs don’t know where to start when relaying information to those unfamiliar with the topic.
Other challenges security teams face when reporting a risk to the board include:
- Quantify breach risk to critical business assets across on-premises and cloud environments in one easy-to-understand report
- Explain the cybersecurity risks introduced when acquiring new businesses, and the steps needed to mitigate them
- Assess the risk to the business resulting from third-party vendors
- Identify the least-cost path for maximum impact on the organization’s security posture and where to focus remediation efforts
- Estimating the impact of security investments on security posture over time
A better way to report risk
Today, most CISOs report risk based on the number of vulnerabilities, incidents, and patches that occur and how those numbers change over time, but they don’t provide the context that the advice directors need to fully understand the risk. For example, a CISO may say that 10,000 vulnerabilities have been fixed, but what does that mean? Are 99% of critical assets protected against breach? Or only 39%? Long talk about security team actions based on conventional metrics can create white noise and obscure the real heart of the matter: are your assets safe or not? Ultimately, CISOs need to convey the full picture of risk, which requires context and causation.
Boards need a clear understanding of the business value of all security investments and the real ramifications of a cybersecurity incident. The key is to ensure that problems, solutions, and value propositions are all articulated clearly and concisely in business language, with supporting metrics. These metrics will ultimately impact key decisions around budget, resources, and the organization’s overall security posture.
CISOs cannot clearly articulate which critical applications, data, and systems are most at risk if they do not have full visibility into the potential impact of changes. A proven method is to model the attack path, mapping all possible paths an attacker could take through the network (due to misconfigurations, vulnerabilities, overly permissive credentials, and other health and safety issues) to reach the organization’s critical assets. This graphical visualization of the attack surface makes it easy to quantify the risk to the “crown jewels” of the enterprise, reducing noise and clearly illustrating security action priorities.
The security team can also contextualize these risks to every part of the business, including ERP departments, business departments, cloud environments, customer databases, and more. By providing such deep visibility into the true ramifications of cyberattacks, CISOs can help their boards understand cybersecurity risk, the efforts being made to reduce it, and the success of those efforts, while also being able to communicate the probability that specific high-level attacks are likely to occur in their environment.
Ultimately, CISOs need more than the right message, they also need the right tools. Managing the attack path can help ensure board members walk away with a much clearer understanding of cybersecurity risks.