CISOs struggle with the board amidst an economic downturn.
By Tim Fleming, Strategic Advisor, Silverfort
Cyber risk is now nailed firmly to the board table. A seemingly never-ending procession of high-profile data breaches and attacks causing operations to grind to a halt has seen to this. Fighting for priority amongst other business siloes has become less of a problem for the CISO.
However, a perennial issue that does still hold cyber risk back in the boardroom is that of communication. Interactions can still sometimes feel like they’re taking place in different languages, or are focussed on disparate objectives, something the accomplished security leader must seek to avoid.
Clouds on the economic horizon make this even more important. As a slowing global economy weighs on sentiment, the people, processes, and technology which make up a security leaders risk posture come under the microscope. Harder questions are asked about priorities. You must justify where your chips are laid.
Against this background, communicating with the board effectively becomes even more important.
Organisational impact as a unifying language
Now more than ever, a common language becomes crucial. As the economy tightens,
so does the focus of the organisation on what is truly important – operational uptime, customer trust, reputation, regulatory compliance and, typically, the ability to continue generating revenues.
This is the lens through which discussions must be held. It’s not about cyber risk, but operational risk. In an economic downcycle the point must be made that, while the root cause of the problem might be micro, the impact could be macro. However, with the devil lying in a fragmented tangle of technical details far away from operations, this is often lost in translation.
Take Colonial Pipeline for example. The shutting down of the pipeline was caused not by a direct attack on OT systems, but a knock-on effect of billing infrastructure being compromised and a fear of lateral movement into critical areas. Imagine trying to convince a board in advance that such a seemingly tangential risk would ultimately stop 380m litres of oil from flowing, every day. Doing so would have required a mastery of big-picture storytelling, just enough technical nuance, and a need to not appear a scaremonger.
Making an effective cost argument for risk initiatives
In contrast to being able to articulate big picture impacts, security leaders in challenging economic cycles also need to articulate and defend the finer details of how they are prioritising investment. OPEX will invariably come under the spotlight as the security function is quizzed on potential cost savings.
Against this backdrop, communicating the ‘bang for buck’ from specific defensive capabilities is important. By breaking out the cost of security initiatives line item at a time and highlighting how much risk is addressed by each, management teams can better understand the impact of expenditure. This is where risk frameworks can be a useful tool. By summarising how a seemingly fragmented set of security initiatives mesh to secure operations, it communicates where investment performs best. Just as importantly, it highlights where exposure will occur should cost savings be sought.
Take, for example, identity programs. A strategic approach to identity is an increasing part of board level conversations because it represents a highly effective investment against a broad swathe of cyber-attacks. While, to date, conventional controls have only covered small sections of the identity threat surface – security teams are waking up to the wholesale risk reduction benefits that can be achieved by understanding where these gaps lie and preventing malicious access. Doing so stifles lateral movement – stopping threat actors carrying out a wide range of attacks. Highlighting the return on investment from such initiatives will stand security leaders in good stead with their boards.
Equally important in such conversations is making the case for protecting the workforce as much as possible. During tough times, it is tempting for senior teams to cut heads to make quick cost savings. While, on paper, this represents a short-term gain – the lost investment in people will be hard to replace when the inevitable upswing occurs – requiring an expensive and lengthy process down the line. Positioning your people as a cost-effective defensive investment, rather than an overhead, is crucial.
Bring senior stakeholders along with you
The final piece of the puzzle when communicating cyber risk strategy is stakeholder management. Understanding which members of the senior team have influence, directly or otherwise, over budgets and strategy is increasingly important to CISOs.
Start with building a map of the people who the security function has a bearing on and vice versa, whether technical or otherwise. Then, bring them in early to the decision-making process to ensure joint ownership of any proposed strategy or initiatives. Disgruntled stakeholders, often the cause of difficult questions and friction, are often the result of a lack of understanding about where cyber risk fits into their area of operations. This can be avoided with clear, transparent conversations. A CISO who takes the time to educate the right people will enjoy a far smoother path at the board level.
Ultimately, the debate around communicating with the board is not a new one for senior security leaders and the industry has come on leaps and bounds over the last few years. Current market conditions, however, add pressure as they intensify the need to justify resources. By collaborating with your target audience, framing communications in business terms, and being aware of where investment can be applied for maximum impact, CISOs are in good stead to weather the worst of it.
About the Author
Tim Fleming is a Strategic Advisor at Silverfort. Having recently retired from Deloitte, Tim Fleming is now working as a consultant and advisor across the areas of cyber security and CIO advisory including IT strategies, and operations.
With extensive experience in the IT sector across many organizations and industries, Tim brings a wealth of knowledge to assist companies in their technology challenges in areas such as IT Strategy and Governance, IT operations, and cyber security. Tim’s experience would be invaluable to organizations in industries including media, financial and professional services.
Currently, as one of Tim’s roles, he is working closely with Silverfort Inc, a cybersecurity software provider with a unique and ground-breaking approach to identity protection and lateral movement protection.