Contributed by Craig Moss, COO, CREATe Compliance
Although Board Directors and the C-Suite are increasingly being educated about cybersecurity, it is quite likely that most have picked up their knowledge from reading the Wall Street Journal or talking with their peers. As a result, many get lost in the technicalities of cybersecurity. The challenge for you as a CISO is, how do you establish a common language and understandable metrics with your C-suite and the Board? Here are five ways to get the conversation started.
Make cybersecurity part of broader enterprise risk management
Learn about the language being used to describe other business risks and integrate it into how you talk about cybersecurity. Senior executives and boards are very familiar with assessing the probability and negative impact of risks, establishing a risk tolerance level and developing risk management plans. If you use the same approach and terminology, it will help them to understand the big picture and make more informed decisions about the actions you suggest. Senior management is focused on a broad range of business performance, compliance and regulatory risks. Showing them how cybersecurity fits into the broader enterprise risk management picture helps to break down the misperception that “cybersecurity is an IT issue.” Be ready with the technical details, but don’t lead with them
Talk about program maturity
Maturity models are embraced by senior management and the board because they are familiar with them from many other programs, like quality management. Edna Conway, Cisco’s Chief Security Officer, Global Value Chain believes that cybersecurity is a part of an overall security architecture – something she refers to as “Pervasive Security.” “Security professionals need to speak the language of business – maturity and tolerance levels allow us to do that,” said Conway.
It is critical for you to make a clear distinction between program maturity metrics and performance metrics. For a practical example of the different type of metrics, let’s look at password use in your organization, a common issue. Cybersecurity program maturity metrics measure the actions taken to establish and communicate the password policies and procedures to the workforce. Has a practical policy been established with cross-functional input? Is the workforce communication part of a repeatable process? Is there recurring communication to reinforce the message? Are there records? How is workforce adherence to the policy monitored? Is the overall password procedure evaluated for effectiveness? By Comparison, performance metrics look at the number of incidents caused by weak or compromised passwords. Both metrics are useful, but the maturity metrics are a better indicator of your ability to manage cybersecurity risk.
Focus on people, processes AND technology
It’s becoming common wisdom that cybersecurity is a people, process and technology issue. Senior management needs to know how these three elements work together to reduce risk in a way that doesn’t impede efficient business operations.
Octavio Flores, Director, Information Technology, at P&G, stated, “It is all about effective risk management, to do it consistently companies need to make a strategic choice to lead and drive their security program by measuring program maturity in the areas of policy, people, process and technology. Performance metrics are also required, but program maturity focuses the company on critical capability building, coverage of those capabilities, and sustainability of performance operating those capabilities.”
Help senior management understand that cybersecurity requires the orchestration of people, processes and technology – and that they have a critical role in it.
Build buy-in across the organization and send a unified message
One of your goals is to embed cybersecurity into how people do their jobs – to create a culture of cybersecurity. To do this, the policies and procedures need to be practical or you will create a culture of “work-arounds.” The only way to develop practical policies is to get input from all of the departments and functions in your company – from finance to legal to HR to supply chain to sales. Every department needs to be involved in your mission to develop practical policies and procedures that people follow. It’s better to have someone tell you your policy idea is crazy before you release it. Getting buy-in from the department leaders lets you make a more powerful statement to senior management. Cross-functional support will help you answer practical questions from the CEO or the board, such as whether it will generate a better risk reduction ROI to spend more money on new software or on an employee training program.
Reference leading standards and frameworks
Aligning your program with a widely used standard or framework allows you to benchmark your program against other companies. Inevitably, senior management is going to ask you, “how are we doing against other companies?” If your program can reference the NIST Cybersecurity Framework or ISO27001, you will be able to compare the maturity of your program with a broad, diverse group of companies.
In addition, the NIST Framework provides a common language and framework for assessing cybersecurity risk that senior executives and board members are increasingly familiar with as its use grows.
Craig Moss is COO of CREATe Compliance, an Ethisphere business; and Director of Content for the Cyber Readiness Institute.