A classic cybersecurity storyline: there is executive tension over cybersecurity spending, the company gets breached, and a blame game between the CISO and their peers ensues, resulting in the termination of the CISO as a form of remediation. Reports indicate that only 27% of CISOs stay in their role at a company for three to five years. While hitting a CISO reset button may seem like a resolution, it creates a lack of continuity in security remediation efforts, and does not solve any underlying security problem.
This pattern can be tied to the lack of strong technical representation at the board-level, which would ensure a healthy understanding of the cybersecurity landscape. Having a technical expert on the board allows for ongoing healthy scrutiny of the organization’s security posture, and could provide support for the effective initiatives that CISOs implement. The 2021 Global CISO report by Merlin and Hawk highlights that only 1% of company boards include an executive that has spent most of their career as a CISO.
Lack of knowledge at the leadership level can create significant tension between the CISO and their peers as the impact of the CISO’s program on business is often not understood, and cybersecurity continues to be treated as a siloed risk rather than a holistic business risk. Even with technical experts on the board, CISOs need to find a common language to communicate with their peers and the board – one based on financial metrics.
Translating cybersecurity risk into financial impact does not need to be perfect or complicated. You can start with data points like how much revenue your company makes in a year and how much cyber insurance coverage is in place. You can take that to determine the financial impact of a ransomware-driven outage per day or per hour and how long the company will have insurance to offset those losses. It’s well documented that multi-factor authorization can prevent over 90% of phishing and automated cyberattacks. A simple ROI calculation can be done using the costs to implement MFA and the estimated financial benefit of avoiding downtime that results from a ransomware attack.
At SecurityScorecard, we take the financial impact assessment a step further, enabling the CISOs to not only communicate their external security posture in financial terms, but also to continuously monitor their security posture and have a tradeoff conversation among the security improvements that need to be made to prevent the most expensive, more likely, or most frequent attack.
As for the rest of the leadership and the board, it behooves them to include the CISO in ongoing business conversations and board presentations, given the critical importance of cybersecurity in this day and age.
To learn how to effectively align with your board, download SecurityScorecard’s CISO Action Plan or register for free for our Cybersecurity in the Boardroom course.