The rising number of attacks resulting in huge business losses have brought cyber security into the boardroom. Prior to the 2013 Target breach, corporate directors were not very interested in cyber security. Today, more boards and executives are demanding to understand cyber risk. With this in mind, simply put, if you report into the board, you have to be speaking their language.

Consider the impact. Target’s CEO, Gregg Steinhafel, was forced to resign, and seven out of 10 board members were ousted, in light of the holiday-season credit-card breach that affected 40 million customers. Additionally, Target has far exceeded its $100 million cyber insurance policy, with total costs estimated to be $1 billion by the end of 2017.

“Institutional Shareholder Services, which advises big shareholders how to vote on corporate ballots, called on Target shareholders to oust seven of the company’s 10 directors for not doing enough to ensure Target’s systems were fortified against security threats.”
– Wall Street Journal
As a result, we are seeing a major shift in corporate cyber policy. Boards of directors are no longer interested in check-the-box compliance. They are understanding their role much better. They are responsible to ensure that cyber controls are in place that protects the business assets of the firm in alignment with their risk tolerance.

In this article, we provide useful information to understand cyber risk from a business point of view and deliver a board presentation based upon evidence-based metrics. In addition to best practices on what is important to prioritize, we advise on how to use these evidence-based cyber security metrics to speak to the C-suite and to the board about cyber risk in a language that they understand.

Whether you’re a chief information security officer (CISO) or a security manager, a CEO, CFO, CRO or board member, this information is essential to understand and lower your company’s cyber risk to acceptable levels and have everyone on the same page.

The Right Questions

One of the board’s primary roles is to protect the business assets. The CISO must convey information about cyber risk that identifies and demonstrates how key assets are protected against an attack. This lets the CISO guide the conversation so that the board can make strategic decisions using evidence-based metrics.

There are many questions that senior executives must consider:

Regulation: Are we aligned with regulatory requirements?
Fiduciary Duty: What is the risk exposure of our key business assets? Are we minimizing this cyber risk?
M&A transactions: Are we doing proper due diligence? Does the target defer critical upgrades and maintenance costs in order to keep their costs low and attract a buyer?
CISO: Do I have enough cyber budget?
CRO: Do we have enough cyber insurance?
Personal liability: Will what happened at Target happen to me?
The bottom line: “Do we have acceptable cyber risk in relationship to our valued business assets? If not, where should we focus to lower that risk?

In the past, CISOs spoke to boards in terms of vulnerabilities. Vulnerabilities were not tied to business assets; they only demonstrated control maturity, not effectiveness, leading to confusion. Today, top managements are talking about protecting assets, not plugging gaps.

“Rather than starting with technological vulnerabilities (say, the insufficient patching of servers or routers), they should first protect the most critical business assets or processes (such as customer credit card information).”
– McKinsey
Strategic Narrative

Telling an understandable story is critical to get the outcome that you want and support from the board. A board is strategic, and the CISO must present a strategy, allowing the board to decide what aspects of that strategy to implement so that the CISO can then execute it.

Understanding key metrics in dollars and cents and baking them into your board presentation is critical to getting the necessary budget and support from the decision makers.

Top managements today are “talking about protecting assets, not plugging gaps,” writes M. Ariel Evans of InnoSec.

Defining Focus

Ask five board members for a firm’s top five assets, you will generally get 25 different answers. This is the first cyber security issue from a fiduciary perspective, one that the board must answer and agree upon. Identifying these “crown jewel” assets is critical for everyone to be on the same page. Intellectual property should not be protected like generally available information.

That said, once these assets are identified, then the risk associated to them must be baselined and monitored. Assets are associated to business processes, and a business impact analysis (BIA) and confidentiality, integrity and accessibility (CIA) assessment demonstrate inherent risk of the business assets.

Inherent cyber risk exposure allows the CISO to tell the board exactly how many hundreds of thousands or millions of dollars they have in business asset risk. Once they understand what might be lost, you can talk about what to do about it.

Using the Metrics Effectively

What is a residual risk of the assets with cyber controls in place? This should be measured against the business assets and processes in terms of vulnerabilities and how they impact the risk of each asset. Data from SIEM (security information and event management) and automated vulnerability scans can be used, as well as manual audit data, to show dynamic information.

Total cyber risk can never be completely mitigated. However, using a business asset approach allows for effective cyber budgeting, demonstrating how each asset is impacted and can provide a clear line of sight into what needs to be prioritized and the costs.

Risk Tolerance

In order to speak about cyber risk as it relates to business assets, the risk owners must answer the question, “What is our cyber risk tolerance?”

This question should be answered by the CRO or a senior executive who can determine how much money the organization could lose and remain operationally sound in the event of a cyber breach. This metric can be used in a cyber risk equation that provides an idea of how well your cyber exposure is mitigated or transferred using cyber insurance.

Risk Transfer

Cyber insurance is a risk transfer tool that should be utilized by major organizations. No one can boil the ocean in cyber. Attacks will happen and will be successful. Insurance is a stop-gap measure to ensure the organization is protected against the financial impact of cyber exposure in alignment with the company’s risk tolerance.

It is possible to relate these metrics together to determine cyber insurance – cyber budget in alignment with risk tolerance. Determining how much cyber insurance is needed is an important part of the cyber security strategy. Cyber insurance needs are equal to the Inherent Risk Cost – Risk Tolerance – Inherent Exposure.

Cyber Budgeting

Most organizations provide the CISO a percentage of IT spend as the cyber budget. This is not a strategy; it is a guess, and a bad one. Demonstrating how effective cyber resources and tools are and how they reduce risk is a key ingredient to getting the needed funding for your cyber security program.

When each vulnerability is associated to an asset, the prioritization becomes clear. Having a budget aligned to the cap ex and op ex needed to remediate crown jewel asset risks provides a business case that is aligned to the cyber strategy.

Cyber security risk is a complex topic that can be simplified with understanding and automation. Resources are scarce, and getting this data in real time, instead of in unmanageable Excel spreadsheets, provides an unprecedented edge.

Modern CISOs must be able to make the case for how cyber security impacts their businesses directly – and one of the most effective ways to accomplish that is through evidence-based metrics.

Ariel Evans (mariel@innosec.com) is a senior cyber security expert and CEO of InnoSec, which provides an end-to-end cyber risk management platform for enterprises, M&A and cyber insurance companies. She was formerly chief information security officer for a major telco in the U.S.; has led numerous security-related projects for F-500 companies; and has provided expert guidance to the Department of Homeland Security, Payment Card Industry and other governing bodies that are accountable for reducing risk and ensuring secure financial, medical and personal data. Following undergraduate work in nuclear physics, Ms. Evans earned an MBA in finance and entrepreneurship from New York University’s Stern School of Business.