Three-quarters of U.S. CEOs in PwC’s 24th Annual Global CEO Survey said they are “extremely concerned” about cyber threats. They want to understand roadblocks, cyber insurance coverages, and budget allocation, among other critical topics.
CISOs prefer the language of technology, and boards prefer the language of finance.
Cyber risk is not just a security issue, it’s a business issue. As such, it has become an executive level discussion topic. But it’s a discussion between two different stakeholders of different skills and backgrounds. Security professionals relish very granular, highly technical details, then ask for a budget increase. But CEOs and Board Members need risk and ROI to be financially quantified. Security teams often need help articulating risks in business and financial terms.
Though this can be more challenging than most realize, it is very possible.
Currently, only 1% of boards include a security leader. Therefore, the path of least resistance for CISOs is to simply “dumb down” their presentation to the boards. The tradeoff here is that you’ll remove important context or underplay the threat facing the business.
Then there is the issue that discussing the efficacy of a security program involves estimating the unknown. Most security leaders have no idea whether or not their security tools are working. What was avoided? What would have been the impact? Would the result be the same had we done nothing? You can try and answer these questions based on experience, but due to the dynamic nature of cyber risk, experience can quickly become obsolete.
And finally, security teams are overloaded with so many data points about cyber risk that it’s hard to boil that down for the board. At any given moment, the security posture of a business can include hundreds of attributes. Complicating reporting is a board’s desire to understand trends that require multiplying those attributes over time.
These challenges are real, resulting in the current state of board reporting of cyber risk. Today, most discussions of cyber risk are oriented toward technical details and suffer from the following:
Siloed views of risk – Every stakeholder has their own opinion about how cyber risk can impact the business, and that creates misaligned objectives
Checklist-based prioritization – Investments are determined by a simple “yes or no” adherence to security frameworks
Status reporting – Reporting is focused on what work has been completed and described in technical jargon that doesn’t resonate with the business
Anecdotal compliance – Adherence to security mandates is delivered in static reports that quickly become old news
The challenges mentioned before are real, but they can be overcome. When CISOs and boards begin to discuss cyber risk in that common language, they can transform board reporting into a collaborative conversation that consistently leads to reduced cyber risk for the business. The benefits of shifting towards business-oriented reporting will be reflected as the following:
A shared understanding of risk – A single, holistic view of cyber risk is the basis for informing strategic business objectives
ROI-based prioritization -The costs of investments is weighed against the return on investment they will deliver
Impact reporting -Report focused on the value that security teams are providing to the organization in terms the business can understand
Proven compliance – Continuously tracked adherence to security mandates and immediate detection of gaps
Translating cyber-risk into financial risk creates a meeting of the top minds that accelerates business decision-making. Proving the effectiveness of a security program and justifying the budget in this way makes CISOs look like champions. Moreover, alignment of security leaders and top business stakeholders maximizes resources and sets expectations for how an effective security posture can enable business growth by building trust and defending against costly cyberattacks.
This ideal state is possible today, and SecurityScorecard is helping many organizations get there with its actionable data and reporting capabilities. To learn about our board reporting offerings, read this datasheet or request a demo.
About SecurityScorecard
SecurityScorecard is the global leader in cybersecurity ratings and the only service with millions of organizations continuously rated. Thousands of organizations leverage our patented rating technology for self-monitoring, business ecosystem risk management (aka third-party risk management), board reporting, and cyber insurance underwriting. But we don’t stop there. Through a customer-centric, solution-based commitment to our partners, we are transforming the digital landscape, building a path toward cyber resilience.