Business impacts at this level affect the fundamental financial performance and sustainability of an organisation, which means cybersecurity must no longer be considered an IT issue; it’s a matter for the board in its role as custodian of shareholder value. By managing cyber risk as part of the overall organisational risk strategy, boards can put it into a commercial context and drive the cultural awareness of risk that is essential to promote cyber resilience across the business.
Making the shift from technology-centric to business-centric risk management
Elevating cyber risk management to the board level is not without challenges, however. We are still very much in the midst of a shift in mindset from a technology-centric to a business-centric view of cyber threats. This can result in a disconnect: many boards find it difficult to interpret the information they receive from the IT team, while many IT functions struggle to understand what data the board really needs to carry out effective oversight. This challenge was underlined by EY interviews that found difficulties “obtaining relevant, objective and reliable information, presented in business-centric terms…[and this] affects board members’ ability to understand the risk facing their organisations and evaluate management’s response to these risks.”
This area is where the evolving role of the CISO—sitting between the business and the board—requires a mix of skills. CISOs need both technical expertise in analysing and interpreting threat metrics and technology performance, and the ability to apply these skills in a broader business context for board directors so they can deliver strategic cyber risk oversight and governance for the business.
Reporting to the board - from numbers to narrative
While increasingly boards are factoring cyber skillsets into their succession planning when recruiting new board members, most current board directors don’t have deep experience in cybersecurity. This means that any metric-based reporting should be simple to interpret, including auditable figures that provide an overview of the organisation’s security posture.
Reports should also be framed in terms of the impacts specific security incidents have on the business. For example, a DDoS attack might cause reputational risk, operational risk and strategic risk. And, of course, the flipside of risk is compliance, so the board also needs to know how cybersecurity incidents could impact data privacy and governance.
It’s the role of the board to challenge senior management robustly in order to deliver effective oversight, so CISOs should be ready to answer questions around the organisation’s cybersecurity maturity and the frameworks established to manage emerging threats.
However, while numbers and frameworks are valuable in helping boards evaluate and audit cyber risk posture, when it comes to setting a risk-aware culture, directors really need deeper context around the types of threats specific to their organisation. If board directors are given a window into the environment, tactics, and motivational psychology of actors that target their sector and business, they can better understand the risks themselves. Once that has been achieved, board directors can become an asset to the CISO in promoting a cyber risk-aware culture not just as a tick-box exercise, but because they have genuine appreciation of the factors, and indeed actors, in play.
To achieve this board-level buy-in, CISOs need to move from numbers to narrative to drive the message home. This is where business risk intelligence provides the context that helps bring risk to life.
It’s undoubtedly useful for senior leaders to understand the frequency and type of the cyber-attacks the business experiences, but it’s also valuable for them to know the extent to which the organisation is the topic of conversation in the illicit online communities that initiate those attacks.
Deep and dark web forums, chat services, and other platforms are often where cybercriminals discuss tactics to defraud or infiltrate the organisation. These types of venues are also where company secrets, intellectual property, and stolen data may be offered for sale. An overview of the company’s profile across the deep and dark web, as well as other illicit online communities, and the kinds of tactics that are being discussed, is a powerful way CISOs can help directors gain context to understand what the business faces.
Illustrating third-party risk
Third-party risk, including supply chain weaknesses, is a hot topic among board rooms as businesses realise that keeping their own house in order is not enough. Intelligence gleaned from illicit online communities can also be used to illustrate potential weaknesses in, or threats to, partner organisations. This intelligence can help boards meet objectives to manage supply chain risk.
Successful cyber risk oversight by company boards relies on them receiving a combination of auditable metrics, risk impact assessments and contextual information enabling them to provide informed oversight of cyber risk. Greater understanding of the threat actor environment also assists boards in leading a risk-aware culture across the business, moving from a tick-box approach to a genuine cultural shift.