Learn about Insider
BrandPosts are written and edited by members of our sponsor community. BrandPosts create an opportunity for an individual sponsor to provide insight and commentary from their point-of-view directly to our audience. The editorial team does not participate in the writing or editing of BrandPosts.
By David Faraone, Sr. Consulting Director, Unit 42
For many Chief Information Security Officers (CISOs), reporting to the board of directors has been handled as a reactionary, albeit very necessary task. After all, it’s the board of directors that sit atop the corporate governance model, so it is incumbent upon security professionals to keep them informed. But communicating about security incidents—like the Log4j vulnerability, for example—fielding requests based on regulatory requirements, or answering questions about a breach that happened in the same industry should definitely not be the only moments that CISOs engage their boards.
On the contrary, security professionals should be in regular contact with their boards, keeping them informed and educated and establishing mutual trust. Ultimately, working together with the board of directors helps create a better security posture—something we all need.
While the board is sometimes thought of as just another group that security leaders need to report into, this governance group can actually be much more.
A board of directors can and should be thought of as the fourth line of defense for an enterprise’s security. The first line of defense is the day-to-day security operations and capabilities managed by hands-on operational staff who are triaging incidences. The second line of defense is what we call the cyber governance function, while the third line is the internal audit and reporting function. So, the fourth line of defense is really the board of directors. It is critical that all four lines of defense are communicating effectively to eliminate gaps and create a cohesive cybersecurity operation.
Enabling the board to be a partner for security and an effective fourth line of defense involves both sides trusting one another. For security professionals, this requires navigating what’s important to the board in terms of three main elements:
When communicating with your board, it’s important to make sure that everyone speaks the same language. It’s no secret that board members aren’t often cybersecurity experts. As a result, CISOs often struggle with what level of technical language to use—sometimes even shying away from sharing certain technical information because they really just don’t know how to communicate with these non-technical folks.
I also often see CISOs that really emphasize technical elements but are not being successful at communicating risk from a business standpoint that the board understands. The sweet spot to communicating with the board is keeping the audience engaged and effectively communicating those risks without scaring them.
Within Unit 42, we use a term called ROSI to help communicate the return on security investment. It’s vitally important for CISOs to articulate financially why certain security investments that are critical in the ROSI will be from a return perspective in terms of what assets are being protected and how they’re being protected. The ROSI should also explain what the net gain for objective security maturity is for the organization, not subjective maturity.
One of the primary responsibilities that a CISO has to the board is to communicate risk in a proactive and meaningful way. Palo Alto Networks Unit 42 has developed a framework for communicating risk to the board that encompasses the following key steps and items:
We often see organizations reporting mostly operational security operations center (SOC) metrics such as the number of attacks, alerts, closed incidents or how many unpatched operating systems there are to show progress. But really, that doesn’t go far enough to translate cyber risk. Categorically, those SOC metrics should be considered as lagging indicators that result in reactive remediating measures.
We recommend CISOs present leading indicators that promote proactive security initiatives. A good example metric for a proactive leading indicator would be the number of third parties or supply chain risk management resources that have been assessed over the past 12 months. That metric shows not only how many high-risk supply chain resources there are but also how far the company is going in terms of validating the due diligence of those third parties.
Building a successful working relationship with any board is a process, but the very first key is to establish the relationship. Get to know your board and understand what resonates with them in terms of business risk. Knowing their focal issues is the only way you’ll be able to communicate to them how you’re protecting their best interests in terms of the business assets and the business imperatives.
Also, take a data-driven approach to what is communicated to the board. Eliminating subjectivity wherever you can places you in a better position, as you’re simply stating the facts. That said, simply throwing up numbers on a slide doesn’t work either. What works is storytelling. Board members like to understand the introduction, the plot, the climax, and the resolution. So don’t just present data, but actually present the story behind it.
And fundamentally, remember: the board is part of the solution. They’re the fourth line of defense. As such, be sure to help enable and create a culture of empowerment, where leaders across the organization understand that security is everyone’s responsibility.
To learn more, visit us here.
About David Faraone:
David is a senior director at Unit 42, leading the North America East Region Consulting Team. He is a highly accomplished cybersecurity consultant with deep expertise serving large organizations in areas such as CISO advisory support, cloud security strategy, network security architecture and design, and Internet of Things security.
View the archive