"Are we secure?"
That's the most common -- and challenging -- question that CISOs get asked by their board members, according to a recent report published by Kudelski Security. While there is no clear yes or no answer, the key is to first understand exactly what and why the board is asking, said John Hellickson, managing director of global strategy and governance at Kudelski Security.
"It is important to make it clear to the board that there is no such thing as perfect security," Hellickson said.
The report, titled "Cyber Board Communications & Metrics -- Challenging Questions from the Boardroom," highlights top questions CISOs are asked by their board members and offers strategies to address them. For example, one idea to help facilitate an effective CISO-board communication is to bolster board presentations with metrics and visuals.
The biggest takeaway for CISOs is that boards of directors are taking more interest in the security posture of their organizations, Kudelski Security CEO Rich Fennessy said. This provides both a challenge and an opportunity for CISOs, Fennessy added.
"The challenge is that a majority of CISOs, even seasoned ones, have difficulty understanding what boards are looking for and then providing this in a way that resonates," Fennessy said. "We feel that a new approach to communicating cyber risk is needed and this represents the opportunity."
A new approach to CISO-board communication
One of the most important findings from the report is the need for a new approach to communication between the CISOs and their organization's board members.
In today's volatile security landscape, it is vital that CISOs present the need to invest in a robust and mature cybersecurity program, Fennessy stressed. A partnership between CISOs and their board of directors is crucial to this end, he added, and the effectiveness of any company's security program depends on it.
To improve CISO-board communication, CISOs need to explain cybersecurity issues to the board in layman's terms, according to Bryce Austin, CEO at TCE Strategy and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.
"Explain the concepts of multifactor authentication, encryption in motion and at rest, zero-day vulnerabilities and GDPR," Austin said. "The board needs to understand what these concepts and regulations are and how they impact their company."
But because CISOs are given limited time to interact with the board, they have to learn how to engage quickly and partner for the common cause, Hellickson said. This means getting to know their organization, its vision and mission. CISO-board communication should become easier as CISOs learn more about the board's goals for the organization, share relevant security information and consider business needs in their presentations, he added.
"CISOs will start to create a bridge between the technology and the organizations' broader issues and challenges; linking security with the ability of the organization to go to market, operate efficiently, minimize downtime, reduce costs and finally become a key partner to the board," Hellickson said.
Metrics are an important tool for CISOs because they help answer key questions the board is likely to ask and help CISOs make their case, Hellickson said. Boards prefer objective, quantitative evidence, but both quantitative and qualitative metrics can be effective, he added.
Even the most seasoned CISOs find it challenging to translate security and risk information into business language that provides meaningful insight to boards and business leaders, he said.
"Traditionally, CISOs have presented boards with metrics related to technical and security operations, which are hard to understand," he added. "Presenting them can even reduce trust in their ability as security leaders."
Rich FennessyCEO, Kudelski Security
Boards are fact and financially driven, Austin reinforced. They want relevant data presented to them so that they can make the best decisions for their organization.
Core quantitative metrics like dwell time, details of new vulnerabilities discovered versus remediated, patch management data, number of incidents and vulnerabilities, and number of non-remediated risks should be part of the presentation, Hellickson said.
Other metrics to include are outcomes of initiatives that aimed to reduce risk; how security has integrated with application development; actions taken to improve the company's security risk posture; risks the organization has accepted and how it aligns to company's agreed-upon risk tolerance, he added.
"We also think it is helpful to talk about security as a journey, showing where you're at today, where you want to get to and where you've made noteworthy progress," Hellickson said.