Cybersecurity risk management is an essential aspect of business viability for modern enterprises, and explaining the value of cybersecurity strategies to the boardroom is a key part of the chief information security officer’s (CISO) brief. But how and what should CISOs communicate with the boardroom about cybersecurity risk assessment to ensure a sufficiently robust cyber risk posture for the company?

Ben King, Vice President for Customer Trust at Okta, a California-based identity and access management company, explains that the vital first step to effective risk management is determining an organisation’s appetite for risk. “CISOs and board members need to come to a consensus on what they are trying to protect, why they are protecting it, and from whom. Only with an agreed and documented risk appetite statement can we measure current maturity, gaps, and risk in any meaningful way,” said King.

Communicate the business value of risk management to the board

According to King, CISOs need to communicate the business value of risk management in a way that is understood by the board, such as by illustrating the potential repercussions of any breach.

In this regard, tabletop exercises – where company executives and management take part in role playing various scenarios – are a good way to communicate the potential impacts in a realistic way. “CISOs and board members alike will be able to assess the company’s crisis preparedness, its issues and crisis management response, as well as prepare for a variety of real-world scenarios,” he added.

Define a calibrated approach to cybersecurity risk assessment

CISOs need a calibrated approach to explaining cybersecurity risk assessment to the boardroom, beginning with situational awareness.  Keep in mind that it is the board you are talking to, and discussions are meaningful only if they are at a high level. It is important to build the discussion around what’s driving risk for your organisation, and how your organisation is reacting to it.

With regard to CISOs’ priorities, King said, “In an ever-evolving cyberthreat landscape and given the constraints of limited time, resources, and manpower, CISOs need to establish the priorities for their organisation and the most critical threats they need to mitigate. It is naive to think all assets are of critical value, or that all threats hold the same risk. These must be assessed, discussed, and agreed upon to allow effective use of resources in real-world scenarios.”

A review of any security incidents in the reporting period is key to the discussion as well. If the organisation is ready to address risk, it is essential to understand the risk appetite of the board, which then becomes a reference point to address what comes next. In this regard, you can review the organisation’s current risk assessment and establish whether it is within the risk appetite of the board.

Use comparisons to make capability maturity assessments factual

It is important to measure and communicate to the board how mature your organisation’s security capability is. Security capability can be compared and assessed against industry frameworks such as NIST or against industry peers, if you are privy to such information.

Finally, adopting a calibrated approach, CISOs are required to communicate their cybersecurity strategy and the execution of that strategy. “A calibrated approach to risk management will help CISOs determine what these critical threats are, and allocate finite resources to neutralise these potential threats before they materialise into problems,” suggested King.

Reduce the risk gap with the board taken in confidence

CISOs and the board should work together to bridge the risk gap. Security programs typically involve a significant amount of investment. That means the onus is on CISOs to prove that the investment is working and it is also aligned to strategy.

According to King, conducting a maturity assessment of security capability will effectively highlight gaps in an organisation’s risk management strategy. Some metrics that will be helpful include the number of security incidents per reporting period, the time taken to identify these incidents and remediate them, and patching cadence of primary operating systems.

Other equally important metrics are third-party risk management measures, including supply chain vulnerabilities and critical supplier risk assessments, as well as recovery metrics covering business continuity and disaster recovery planning and testing.

If the risk is outside the tolerance levels of the board, CISOs need to ask what is wrong and make the necessary changes.

Ensure consistent, comparable metrics for investments

“Metrics should be provided to board members in a consistent and comparable way as pre-meeting reading, so that the meetings can focus on productive discussion and decision. In this way, CISOs and board members will be better able to identify areas they need to prioritise and invest in,” King noted.

In addition to the validity, consistency, and comparability of the metrics, key to the interaction between CISOs and the board is the accuracy of the answers to the relevant questions. Such responses are certain to pique the interest of the board rather than a sweeping request for more funding.

There is much potential for CISOs and their boards to work towards bridging the cybersecurity risk gap. CISOs should start the right conversations now.