How CISOs can engage the C-suite and Board to manage and address cyber risk

July 30, 2023 10:10 AM

Image Credit: VentureBeat made with Midjourney

Head over to our on-demand library to view sessions from VB Transform 2023. Register Here

The modern Chief Information Security Officer (CISO) has a difficult job. Amidst the myriad of malicious cyber threats attempting to infiltrate their organization, CISOs must also effectively navigate other murky waters: Engaging their C-suite and governing counterparts on matters of cybersecurity. It’s a tall task for which decades of technical training and programmatic cyber expertise alone are insufficient preparation.

The Securities and Exchange Commission (SEC) finalized new cybersecurity regulations on July 26 that require public companies to disclose cybersecurity breaches within four days, as well as raise their Board’s level of cyber expertise and oversight of managing and assessing cyber risk. The agency proposed these regulations in 2022 and the final decision is expected to come in October 2023.

Now more than ever, CISOs should be well-positioned to inform and engage fellow leaders as organizations invest in digital transformation at scale.

Seeking out the latest and greatest technologies

The hyper-competitive landscape of our digitalized enterprise world drives organizational leaders on a continuous search for the latest and greatest innovative technologies that can elevate them above the pack.

Event

VB Transform 2023 On-Demand

Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.

These technologies have evolved exponentially over the various eras of computing. It started with the centralized mainframe, then transitioned to microcomputers and PCs in the 1990s. Then came the internet era, the subsequent mobile device revolution of the 2000s and expansion into the cloud throughout the 2010s.

We’ve now entered another transformative era: The current arms race of generative AI and machine learning (ML) that, albeit exciting, has ushered in a wide range of new operational risks for CISOs to manage.

Knowing when to say yes

The march to streamline business-critical functions, alleviate bottlenecks, and improve operational efficiency makes digital transformation a top priority for every organization. When revenue and customer satisfaction are on the line, adopting new technologies and understanding the cyber risk associated with them is imperative.

For CISOs to be true business partners, it’s not feasible to say “no” to every new opportunity. Knowing how and when to say “yes” without jeopardizing the organization’s security posture can be tricky.

This heightens the importance of understanding how to simplify cyber risk to the C-suite and Board in a manner that fosters a collective understanding of its criticality. The role of the CISO is no longer to be a tactical facilitator or pure technologist. It’s about being a transformative leader that tightens the gap between the organization’s cybersecurity and business operations to help drive market adoption and sustained success.

Engaging the C-suite: Aligning cyber risk to business goals

Effectively engaging the C-suite is based upon simplifying the connection between cyber risk and business risk. This requires deciphering the impact of a cyberattack in a way that doesn’t portray a doomsday narrative, but still clearly outlines the severe ramifications it could pose on fundamental business goals.

For a conversation with the CFO, that link could be financial losses associated with operational downtime caused by a ransomware event. For the CMO, it could be brand reputational damage after customer personally identifiable information (PII) data was leaked. For the COO, it could be a business disruption following a supply chain breach.

The true name of the game is conveying the implications of inaction, tying it back to outcomes that carry the most meaning in the eyes of respective leaders. Because let’s face it, conversations around the intricacies of extended detection and response (XDR) solutions, exfiltration and Distributed Denial of Service (DDoS) attacks are never going to fully resonate with a non-technical audience.

And, by extension, it can also come across as belittling without the CISO actually realizing it, further exasperating the complexity of the cyber threat landscape.

Engaging the board: Building trust and confidence

As the nature of cyber threats continues to evolve, so too is the regulatory landscape around overarching cyber risk. With the new SEC regulations in play, boardrooms are finally beginning to embrace the urgency of cyber resilience in a digital age — making heightened commitments to equipping organizations with the right resources to proactively safeguard data and defend themselves.

The ripple effect of this paradigm shift is that security leaders are now getting tapped by their Boards for insight and counsel more than ever before. A CAP Group Study earlier this year found that 90% of companies in the Russell 3000 index lacked a single director with the necessary cyber expertise. In turn, CISOs are being called upon to establish and maintain an open line of communication across the boardroom.

Quick and continuous updates

Considering stringent compliance requirements will soon be in play, the Board needs quick and continuous updates on the cyber threat landscape. Effective engagement in this context requires a firm understanding of the ultimate end goal. It’s not so much a matter of asking the main governing body of the organization for cyber budgeting or approvals. That’s usually for the C-suite to decide.

Rather, it’s a petition to trust that the organization is well-positioned to steward itself through a cyber crisis and mitigate its fallout in compliance with corresponding regulations.

Time is of the essence in boardroom settings — CISOs often only have 15 to 30 minutes to make their case. So, do away with the extensive PowerPoint decks and lengthy presentations and instead leverage impactful storytelling techniques and logical real-world examples that draw emotion.

It’s not just about vocalizing cyber risk. It’s about making them feel the impact of it.

Frank Kim is a SANS Institute Fellow and CISO-in-Residence at YL Ventures.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!