Cybersecurity in the Boardroom: How to Report Risk to Leadership

Cybersecurity threats are continuing to evolve and become more widespread. These advanced attacks include everything from malware and phishing to artificial intelligence, ransomware and more, endangering the assets of governments, organizations and individuals.

The stakes are higher than ever for today’s organizations. For example, in the wake of the 2021 ransomware attack on Colonial Pipeline, the United States Justice Department announced that it would give cyberattacks the same investigative priority as conventional terrorism.

Yet while protection from ransomware attacks and other cyberthreats is clearly a strategic objective for today’s organizations, that goal is jeopardized by a persistent problem: The disconnect that occurs when CISOs attempt to report risk to their board. This failure of communication often leads to misunderstanding, unnecessary risk and cyberattack outcomes that are disastrous. 

This is apparent at numerous organizations globally, as only 9% of security teams feel they are highly effective in communicating security risks to the board and to other C-suite executives, according to a recent Ponemon Institute survey. 

CISOs are in desperate need of a better way to articulate cybersecurity risk to their board—not just to be able to adequately do their job, but to ensure the safety and security of their organization as a whole.

The Disconnect Between CISOs and the Board

Due to a long-held belief by boards and management that cybersecurity is a cost center and a ‘fire drill’ operation rather than a business enabler, CISOs have traditionally not been given the resources or funding that they need. Part of the problem is that security leaders often struggle to articulate the dangers of poor cybersecurity hygiene, using technical language that does not adequately outline the business risk. 

CISOs sit in a privileged position in terms of understanding risk. Yet few organizations reap the benefits of this perspective. A 2021 Ponemon Institute study showed that only 7% of CISOs report directly to their CEOs. Roughly 60% of CISOs “regularly brief” their board of directors, which doesn’t sound that bad until you realize that nearly half of these briefings occur after a security failure.

Encouragingly, the percentage of board-level leaders who view cybersecurity as a direct business risk rose from 58% to 88% between 2016 and the beginning of 2022. However, serious shortcomings clearly still exist within corporate reporting structures and board reporting procedures and the problem of effectively communicating risk to the business remains.

The Challenges of Reporting

Again, the core challenge is explaining technical problems to a non-technical audience. CISOs often don’t know where to begin when conveying information to those who are unfamiliar with the subject. 

Other challenges that security teams face when reporting risk to the board include:

• Quantifying the risk of a breach to business-critical assets across on-premises and cloud environments in one easy-to-understand report 
• Explaining the cybersecurity risks introduced when new companies are acquired, along with the steps necessary to mitigate them
• Assessing the risk to the business as a result of third-party suppliers
• Identifying the path of least cost for maximum impact on the organization’s security posture and where to focus remediation efforts 
• Estimating the impact of security investments on security posture over time

A Better Way to Report Risk

Today, most CISOs report risk based on how many vulnerabilities, incidents and patches occur and how those numbers change over time, but they fail to provide the context that boards require to fully understand the risk. For example, a CISO may say that 10,000 vulnerabilities have been patched, but what does that mean? Are 99% of critical assets protected against a breach? Or only 39%?  Lengthy discourses about security team actions based on conventional metrics can create white noise and obfuscate the real heart of the matter: Are your assets safe, or are they not? Ultimately, CISOs need to convey the full picture of risk, and that requires context and causality.

Boards require a clear understanding of the business value of all security investments and the real-world ramifications of a cybersecurity incident. The key is to make sure that problems, solutions and value propositions are all clearly and concisely articulated in business language—with metrics to back it up. These metrics will ultimately impact key decisions on budget, resources and the overall security posture of the organization.

CISOs cannot clearly explain which critical applications, data and systems are most at risk unless they have complete visibility into the potential impact of changes. One proven method involves attack path modeling—mapping all possible pathways that an attacker could take through the network (due to misconfigurations, vulnerabilities, overly permissive credentials and other security hygiene issues) to reach the organization’s critical assets. This graphical visualization of the attack surface makes it simple to quantify the risk to the business’ ‘crown jewels,’ cutting through the noise and clearly illustrating security measure priorities. 

The security team can also contextualize these risks to each part of the business, including ERP services, business services, cloud environments, customer databases, etc. By providing such in-depth visibility into the real-world ramifications of cyberattacks, CISOs can help their boards understand cybersecurity risk, the efforts being made to reduce it and the success of these efforts, as well as being able to communicate how likely specific high profile attacks are likely to happen in their environment. 

Ultimately, CISOs need more than the right message—they also need the right tools. Attack path management can help ensure that board members walk away with a much clearer understanding of cybersecurity risk.

Comments are closed.