RISK_A11 / T_09 Communicate Risk to the Board eBook (Desktop) Getting The Board On Board With Security Risk

Getting the board on board with security riskAre you speaking different languages?Communicating overall security health to the C-suite and board has long been a challenge for cybersecurity teams. Only 12% of organizations assessed scored a medium rating or higher for the ability to report solid security metrics. Why? Typically these groups speak different languages. Security teams are well versed in speaking to the number and types of threats they are protecting the business from, which compliance regulations they have met or are preparing answers to, reporting the results of vulnerability scans or providing the number of patches recently completed. However, the board does not care about bits and bytes, or identity and security-specific language. C-suite and board members speak about risk in terms of business impact, financial loss and reputation, not speeds and feeds. To have a productive conversation with business leaders, security professionals have to translate IT speak into how security issues impact overall business objectives. 12% SCORED MEDIUM OR HIGHER FOR THE ABILITY TO REPORT SOLID SECURITY METRICS. Finding common groundAnother reason these groups have a hard time communicating is because they are not working from the same dictionary. Security teams commonly classify risk in categories of low, medium and high. Business leaders often do not know or share these definitions as their priorities are often far different than that of the security teams. To effectively communicate with one another, and to successfully manage collective business risk, these two teams must find common ground and work together to define risk terminology so they can work from the same playbook.Translating IT speak into business impactInterpretive guidance from organizations such as the National Association of Corporate Directors (NACD) and the Securities and Exchange Commission (SEC) is available to help security teams translate IT speak into business impact. However, this is not prescriptive, it is simply guidance. Cybersecurity risk and its potential for loss and damage increases every day, so it is getting more and more scrutinized by executive leadership teams. Security teams need to communicate to the board exactly what they want to know:

Who would try to get them?

What do we have in place to stop them?

Where are there gaps?

What measures do we have in place to detect and respond should they get past preventative controls?

What is the financial impact to the organization in case of an incident?

67% OF BOARDS AREPUTTING PRESSURE ON SENIOREXECUTIVES TO INCREASE MANAGEMENT INVOLVEMENT IN RISK OVERSIGHT.NACD guidance:What the board wants to knowThe NACD provides more specific guidance with thefollowing questions:

Did cyberattacks occur and how severe were they?

How will we know if we have been hacked or breached, and what makes us certain we will find out?

Who are our likely adversaries?

In management’s opinion, what is the most serious vulnerability related to cybersecurity (including within our IT systems, personnel, or processes)?

If an adversary wanted to inflict the most damage on our company, how would they go about it?

Has the company assessed the insider threat?

When was the last time we conducted a penetration test or an independent external assessment of our cyber defenses? What were the key findings, and how are we addressing them? What is our maturity level?

Does our external auditor indicate we have cybersecurity-related deficiencies in the company’s internal controls over financial reporting? If so, what are they, and what are we doing to remedy these deficiencies?

Conversations, not mandatesOrganizations need to facilitate risk conversations instead of setting mandates. A conversation enables leaders to come to agreement on the likelihood of an incident occurring, what an incident might cost and what countermeasures can be put in place. Conducting a business outcome risk conversation is a completely different conversation than a compliance conversation, and one that would unite and benefit business and security leaders alike.Partner with a trusted risk advisorOptiv Security is a security solutions integrator that enables clients to significantly reduce enterprise risk by taking a strategic “inside-out” approach to cybersecurity. While the traditional threat-centric “outside-in” approach focuses first on identifying specific threats and then on reacting with technology procurement, Optiv starts with the core equirement of every enterprise—risk mitigation—and builds out from there with strategy, infrastructure rationalization, operations optimization and ongoing measurement. This enables clients to build a sustainable risk-centric foundation for implementing proactive and measurable security programs that are far more effective at reducing current and future risk than is possible with the reactive outside-in model.