Thanks to the constant stream of mega-breaches, cybersecurity has moved from the server room to the boardroom. While it’s become evident that cyber defense requires board-level input and attention, translating deeply technical cybersecurity and risk factors into business terms has been an ongoing struggle.
It’s an effort that has fallen squarely on the shoulders of chief information security officers (CISO), but its success is contingent on input and assistance from CFOs and other risk managers.
For those enterprises that have a CISO (and way too many still don’t), demanding internal clients such as the board, risk committees, and CFOs are asking tough questions. But given the sense of urgency around cybersecurity, CFOs and risk managers must be collaborators, not interrogators.
In cyber-security circles, the idea of “aligning security with the business” gets a lot of lip service, but alignment is not a one-way street. There are some very real challenges associated with implanting cyber-risk management as a business function — challenges that are not just “cyber” problems, but business problems with roots in areas beyond the cybersecurity domain. These include the following.
Complexity of cybersecurity management: Cyber-security jargon is evolving every day. The bottom line is that resource allocation and determining the organization’s risk appetite and exposure are extremely complex, detail-oriented efforts that require a level of visibility and standardization that most organizations don’t yet have in place.
Asymmetry in cyber-security war: Simply put, waging attacks is not a particularly expensive endeavor. Products such as ransomware or services such as renting a botnet for a DDOS attack are basically commodity items, while buying and deploying security products is a time- and resource-intensive endeavor.
Difficulty of understanding the meaning of data: The cyber landscape is full of data, but there’s not enough contextual information. Security leaders need to find a way to translate and contextualize the vast amount of data generated by their security controls, as well as data from external sources, so boards can make decisions about how to manage cyber risk and prioritize investments.
Rapid changes in defensive technologies: Where should you put your cyber defense dollars? The threat landscape changes rapidly, but business competition changes even faster. CISOs need support and resources to confirm that the organization’s current security plan addresses business development needs in a cost-effective way.
Understanding cyber financial resilience: The common denominator of business is money. Without clear translation of cyber-risk to monetary terms, directors and C-level executives are “faced with a mountain, having a teaspoon to move it.” Furthermore, the cost of cyber defenses should be measured against hedging techniques such as cyber insurance and impact analysis given current risks.
Cyber defense resource optimization: What should we do with existing investments in technology, policies, and processes? How can we make sure the organization, instead of following “fashions” and trends, optimally leverages existing resources?
CFOs are in a unique position to help CISOs work through some of these challenges because of their understanding of and familiarity with managing other forms of business risk. They can help CISOs structure a cyber risk management program based on business-appropriate metrics and an integrated data set. In other words, they can help create the common ground needed for CISOs and the board to truly align security with the business.
The challenges listed above are not easily solved, but creating a modern framework for cyber risk management is not an insurmountable task. For all the factors beyond the control of the organization, one thing the executive management team can control is whether their CISO has the business context needed to set and manage expectations in the boardroom.
Elon Kaplan is co-founder and president of Cytegic, a provider of cybersecurity management solutions.