Managing the company’s financial and business risks is the focus of any CEO and their directors. However, when it comes to the company risks associated with cybersecurity, there is not nearly enough consideration and understanding.
The technical nature of cybersecurity, and the non-technical backgrounds of typical executive teams, leads to this lack of understanding. This can make it challenging for CISOs to communicate threats effectively.
A common approach is the ‘scorecard’ produced by CISOs that contain too much data. Once these risks are communicated, a CISO may feel their job is done, and the CEO and executive team may not completely understand how the security team is managing those risks.
The alternative for the CEO is to ask the CISO to measure and communicate security risks in non-technical business language that the executive team will understand and find relevant. For instance, the CISO should communicate the impact that an attack will have on customer data, or product development, rather than the technical implications of the threat.
Similarly, CEOs and boards should ask for metrics and trends on maintaining production environments, rather than how many ‘patches’ have been deployed.
As Patrick Butler, CEO of Loop Secure says, some CISOs can hide behind the ambiguity and technical language of the cybersecurity world, and even use it to their advantage.
“Unfortunately for some CEOs, Chief Information Security Officers can use the complexity of cybersecurity to their benefit. For example, they could misrepresent a security threat for more budget, or suggest that a product they want to purchase will completely mitigate against all threats.”
“Therefore, CEOs should have a basic understanding of cybersecurity. For example, all CEOs should be aware that no software will mitigate all risks, or accept the notion that their company is completely secure against a potential attack.”
CEOs and their directors should prepare thoughtful questions to truly understand the risks against their company. For example, asking how the security team is set up to prevent, detect and respond to a security threat, and details on the incident response plan. CEOs should also understand where the security team get its threat intelligence, what the worst-case scenario is for a cyberattack against the company, and whether staff have the experience to build the company’s resilience against attacks.
CEOs should expect appropriate briefings from their Chief Information Security Officers (CISOs) in a language they can understand.
Briefings for CEOs and executive teams should include the following:
- The key threats that carry a significant risk against the company’s most important assets, and how those threats are changing.
- What the business is doing to defend itself from cyberattacks, and how the security team is performing in this defence.
- What the security team is doing to manage the risks posed against the current strategies and initiatives across the company.
- The other risks faced, and what the business needs to do about them.
“Ultimately, the CEO and the board need to hold the CISO accountable, and can do so by being informed and asking the right questions,” says Butler.
“At the same time, a great CISO will communicate in a clear, non-technical language that educates and informs the executive team. There should be no complex metrics or data for CISOs to hide behind.” Butler concludes.
To learn how to build a cyber-security resilient enterprise, download our whitepaper here: