By Jose Seara, Founder and CEO, Denexus
As demonstrated by recent developments in the legal matter between SolarWinds and the SEC, the landscape of CISO liability is expanding. After the announcement that SolarWinds’ CISO Timothy Brown would face charges for failing to disclose the severity of certain cybersecurity risks, the CISO community has realized that the potential cost of managing cyber risk is more severe than ever.
Beyond the legal and financial liability demonstrated by the SEC’s charges for fraud and internal control failures against Brown, this incident also reinforces that cybersecurity breaches pose a significant risk of hefty compliance fines and a negative image in the public eye. With heightened consequences across the board, it is imperative that security leaders are doing more than just ensuring organizational compliance – they must go above and beyond to secure critical systems and data. Compliance usually drives behavior, but rarely is the end point.
However, CISOs can’t tackle this challenge entirely on their own. To effectively protect an organization from security breaches, lawsuits, fines, and potential reputation damage, CISOs must collaborate with C-suite benches (and CFOs in particular) to ensure that priorities are aligned. And the C-suite must also work with the Board, which holds the ultimate governance responsibility.
Communication Within the C-Suite
Due to the specific nature of their respective roles, CISOs and other C-suite executives often find themselves focusing their time and attention on separate, distinct parts of business. However, the siloed nature of these individual priorities can prevent organizations from establishing and maintaining complete awareness of the severity of potential cyber risks. To effectively prevent a situation like what happened at SolarWinds, clear and consistent communication between CISOs and C-suite executives like CFOs is essential.
Without the presence of constant communication between CISOs and C-suite leaders, there is no way to ensure that everyone is on the same page. The challenge is that they usually speak with different jargon, and more often than not they deal with conflicting topics. But that should not be the case. The implications of cyber risks are not limited exclusively to security-related concerns; we’ve now seen how these risks can rapidly develop into massive legal and financial issues. As a result, it is imperative to foster open dialogue on a continuous basis so that security concerns are explicitly disclosed to all members of an organization’s C-suite, ensuring that they are fully aware of the presence and severity of cyber risks, and how these risks can snowball into situations that directly impact the operations of each executive’s respective role and detrimentally impact the organization’s bottom line.
Speaking the Same Language
One of the biggest barriers to communication between CISOs and C-suite executives is the complexity of communicating cyber risks and potential implications in a way that makes sense to individuals from non-security backgrounds. This is particularly important for CISOs and CFOs, who must collaborate on a continuous basis to analyze and evaluate the relationships between potential cybersecurity incidents, the associated legal and financial implications and the prioritization of cybersecurity investments based on ROI and positive impact on risk mitigation.
To facilitate this process, organizations can leverage cyber risk quantification and management tools (CRQM) that congregate data to calculate, quantify, and translate information about threats and vulnerabilities into more digestible language and data. This simplifies the ability to have critical conversations between CISOs and other C-suite members, which ensures organizational alignment.
Once CISOs and other business leaders like CFOs can speak the same language and relate to one another and their priorities, it facilitates the ability to align their priorities and goals to support the organization as a whole, providing them with the comprehension necessary to implement risk mitigation strategies that are based on data, evidence, and outcomes that are relevant to each respective leader and sector of business. Not everything is about vulnerabilities and firewalls, and not everything is just about return on a specific investment in stand-alone basis. A targeted investment in an expensive firewall upgrade can protect you from a massive lawsuit post incident and yield immeasurable ROI in terms of risk mitigation.
Inviting Others to the Table
By incorporating other leaders into security-focused conversations, CISOs can dissolve silos and establish cybersecurity as a shared business priority that impacts and involves the entire organization. Making space for executives from other areas of business to participate in dialogue about cyber risks ensures that everyone is aware of potential threats and how they will impact all parts of the organization if left unaddressed. At the executive level, this also bodes well for cyber teams by increasing the chance of receiving funding for additional resources needed to mitigate potential risks – when the board is more aware of the prevalence of certain cyber risks and the need to mitigate them to preserve smooth operations for all branches or departments of an organization, they are more likely to approve capital to uphold cyber risk management efforts.
This is true beyond the C-suite as well, both upstream and downstream; inviting other employee teams into conversations, trainings, and educational sessions about cyber risk management sends the message that cybersecurity operations and strategy is key to the success of the entire organization. Expanding the narrative to encompass a wider scope encourages more people to care and be involved in the practices and efforts necessary to mitigate cyber risk.
Proactivity as a Priority for Prevention
In collaboration with CFOs and other C-suite executives, CISOs can prevent catastrophic events like the SEC/SolarWinds lawsuit by taking a proactive approach to cyber risk management. By fostering clear, ongoing, and comprehensive conversations about security-related topics and investments, organizations can ensure they are operating offensively instead of defensively and stay several steps ahead of any potential risks. When security infrastructure is being continuously monitored and the proper defenses are in place to catch and prevent a breach before it becomes a problem, organizations can develop a clear picture of their risk exposure and make data-driven decisions on where to make meaningful cyber security investments.
About the Author
Jose M. Seara is the founder and CEO of DeNexus, a leader in cyber risk quantification and management for operational technology (OT) and industrial control systems (ICS). Jose can be reached online at https://www.linkedin.com/in/jmseara/ and at our company website https://www.denexus.io/