Blog
Effective Cybersecurity Board Reporting
By Allen Ari Dziwa , CISSP, CCSP a risk specialist and SME for the Federal Reserve Bank of Cleveland. He has worked in technology and cybersecurity consulting for 15 years. Allen currently serves on the Board of Directors of ISSA North Texas, E-Council’s Ethical Hacking Advisory Board and contributed to CISSP reviews for (ISC)². He is a certified ethical hacker and certified threat intelligence analyst.
The purpose of a Board of Directors is to provide governance and hold senior management accountable, including implementing cybersecurity strategy within established cyber risk appetite. A goal for any organization is generating revenue from business activities, which in most cases involves the use of technology and systems exposed to the internet. The use of technology and systems that process and store data has inherent risks that may result in the loss of data confidentiality, integrity and availability. Organizations will never be able to eliminate this inherent risk, but can reduce it to acceptable levels, which depend on the established cyber risk appetite. Cyber risk appetite can be viewed as the aggregate level and types of cyber risk the firm’s board is willing to accept in their quest to achieve strategic business objectives. When the board sets enterprise-wide risk appetite with the advice from the chief risk officer and second line of defense experts, this team also defines cyber risk appetite for the organization with some level of granularity. Monitoring and managing this cyber risk are at the core of cybersecurity reporting to the board.
But why does the board require this reporting? They need this information to enable them to make decisions that help ensure senior management is adhering to proper management of technology and cyber risk, which are critical in avoiding possible loss of revenue, reputation and even exposure to serious legal risks. Therefore, effective risk reporting means that the information provided to the board should be useful in helping the board to make right decisions, at the right time to appropriate strategic needs of the business. Through Management of Information Systems (MIS), senior management should be able to translate technical jargon into a business language that explains how cyber risk affects operations and how the impact on operations affect revenue generating activities. Cyber risk, which falls under operational risk, should be clearly communicated to the board usually through a designated Board Risk Committee which ideally has at least one business and technically-savvy board member.
Gone are the days when cybersecurity has been viewed as a cost center that deserved cursory attention, but cybersecurity and technology should be viewed as business enablers which are an integral part of the organization’s mission which includes selling services of products. If a firm’s core business is not selling cybersecurity services for fees, there has likely been a previous view of cybersecurity expenditures as a cost center that utilizes a percentage of the budget without a clear connection to revenue generation.
Some stakeholders believe by simply creating metrics, they are reporting to the board effectively. The question is whether those metrics are helpful to make meaningful strategic decisions. Many organizations use key risk indicators (KRIs), which are metrics that serve as early warning indicators if certain thresholds are going outside established appetite. Some firm created KRIs are never breached because of poor calibration, which makes such metrics irrelevant to decision making. Senior management should be able to demonstrate why cyber risk as expressed in cybersecurity metrics could have adverse effects on operational soundness of a firm and what the board needs to do such as approving an investment to avert a breach that could cost the firm revenues and possible brand damage.
For instance, if cybersecurity metrics show a consistent attempt by state-sponsored threat actors to target a firm with ransomware, then senior management may compile this as evidence to the board to make a decision of a possible investment. The investment after performing a cost/benefit analysis could be the need for the firm to invest in a backup infrastructure such as a hot site, especially if the data at risk is critical to core operations of the firm.
Another example could be Key Performance Indicators (KPIs) showing whether the firm is behind in remediating identified vulnerabilities that can directly impact operations and the bottom line and use that information as a basis for hiring additional skilled personnel that can speed up remediation activities. Such cybersecurity metrics are useful in helping management to present strategic needs to the board of directors. Many organizations overwhelm their board members with a compendium of metrics that are esoteric and convey irrelevant information.
For regulated industries, like healthcare, cybersecurity metrics should also enable the board to assess if senior management is maintaining compliance with laws and regulations. This also requires a careful and properly conceived compilation of cybersecurity metrics that can inform the board in a clear manner how the firm is maintaining compliance. To assure cybersecurity reporting is not misreported by first line of defense, team under the chief information security officer (CISO), it is ideal for an independent second line of defense to review and challenge metrics for relevance and accuracy before the board views them.
It is important to remember that the board of directors has a fiduciary duty to protect the interest of shareholders and all their decisions are intended to ultimately achieve that goal. Therefore, it is important to realize that cybersecurity metrics should give insights into the status of the firm’s cyber risk profile. The cyber risk profile should clearly indicate how it can impact the revenue generating activities or financial risk that may arise from legal exposure and brand damage. Senior management can be able to tie cyber risk to core operations risk by properly operationalizing risk appetite. When a firm says their risk appetite is medium, this has to be translated into risk thresholds by using quantitative limits. The limits should form a basis for estimating possible operational impact.
For more information what a CISO should present, how to present it and what you hope the key takeaways are read Board, (Dash)board and Bored by Jon France, CISSP, (ISC)² CISO.