CEOs and CISOs need one another to maintain security postures that lead to growth. Edna Conway, Cisco’s Chief Security Officer for Global Value Chain & Aleksandr Yampolskiy, CEO and Co-Founder of SecurityScorecard, discuss strategies for translating security into the language of business.
Speaking the same language
The convergence of information technology, operational technology, and the human element require the Chief Risk Officer (CRO) to partner with the Chief Information Security Officer (CISO) to discuss information security impact in dollars, results, and risk. Yampolskiy noted that when CISOs use technical language such as “SSL encryption,” something is lost in translation. Instead, CISOs need to frame the conversation to match the Board of Directors’ D&O perspective. Instead of saying “SSL encryption” and listing several statistics, they should sayt “Encrypting the data may save the organization $2 million and will only cost $100 thousand to implement.” As Yampolskiy notes,”the biggest security risk is going out of business.”
Identifying the business risk
When assessing risk, organizations must factor in likelihood of a potential incident as well as the impact that incident could have. For example, a hedge fund and retail website face different risks. Thus, these businesses must tailor their technical controls to address these unique risks.
When consider what controls are appropriate, Conway advises organizations to ask three core questions:
- Can I still sell?
- Can I actually produce my solution or service and deliver it?
- What will this do to my brand, andwill my reputation be tarnished such that customers stop doing business with my organization?
Information security officers must communicate effectively to become agents of change that can impact business decisions.
Embedding security across the enterprise
A cyber security officer should interact across department lines within the organization and also with other organizations that have access to their data. . This requires mapping internal stakeholder relationships to third party, development, or deployment partners to document relationship ownership. Yampolskiy shares that as CISO, he created a relationship with Chief Counsel who then ensured the security team reviewed vendor contracts, helping to mitigate risk presented by third parties.
Harnessing the third party ecosystem
As a CISO, Yampolskiy worried that while he possessed the tools to assess organizational infrastructure, third parties from other departments remained oblique. Environments exponentially become more complex with thousands of suppliers and third parties providing critical business services.
Conway states that 80% of businesses feels unprepared to deal with third-party breach impacts. Moreover, most attributable breaches over the last seven years arose from third parties. These statistics alone show that organizations must properly mitigate third-party risks. NIST 1.1 in CSF specifically notes that companies cannot manage risk if they do not know with whom they are operating, what those vendor do for the business, and how those parties handle risk. Yampolskiy says, “‘Partner’ is an important word. It’s not ‘they,’ it’s ‘us.’”
Illustrating the value of security
Organizations need to define their risk appetite and make their cybersecurity decisions with this in mind; this is what the industry refers to as “operating around your risk threshold or risk tolerance level.” Yampolskiy illustrates this concept with an analogy: “Pilots need instruments to safely land a plane in a storm, and cybersecurity similarly needs quantification of risk and improvement measurements.”
Another way to measure risk appetite and define an organization’s risk tolerance level is to understand how peers or competitors in the industry operate. . By benchmarking against relevant companies, CISOs can detail metrics that help executives make informed decisions.
Yampolskiy reminds security practitioners that compliance departments can be strong allies when translating security to business language. Both information security and compliance professionals should work together to present their business case for cybersecurity investment to CEOs and the Board.
