What CISOs Need to Tell their Boards About Cybersecurity

What CISOs Need to Tell their Boards About Cybersecurity

By now, your company’s Board of Directors should have gotten the message: Cybersecurity is their responsibility, too. Over the last few years, shareholders have filed lawsuits against directors and officers at companies like Target, Wyndham Worldwide, Heartland Payment Systems and TJX Companies following massive data breaches. Those suits charged that these parties failed to meet loyalty and fiduciary responsibilities because of inadequate information security controls, policies and procedures.

Indeed, Boards are concerned about cyber-risks, though they are not always as engaged as they should be, according to PwC in its key findings report from the 2015 US State of Cybercrime Survey. Thirty percent of participants say, for instance, that there is no Board engagement in this area at all, compared to 25% who report full Board of Director engagement. The report recommends that “security executives should not wait for the Board to ask questions about cyber-risks and cyber-security preparedness.” Rather, CISOs and CSOs should proactively and regularly update the Board on what’s being done to monitor and mediate against cyber risks.

How will you as an IT leader act on that advice? What will you tell your Board members that your company is doing to protect its most valuable assets, and how do you best convey that information?

One suggestion is to start by reminding them that we’re now operating in a cloud-first world. Tell them that your team is driving hard to keep business-critical applications and data that reside in on-premise, private, and hybrid clouds safe amid a growing number of points of access for hackers to attack.

Ideally, you’ll be able to communicate the following about your security arrangements:

You’ve changed strategy to address the changing threat landscape

Make it plain to your directors that the threat environment is expanding. Tell them that to combat it, you are pursuing the deployment of a comprehensive and integrated security solution.

You’ve seen past approaches fall down on multiple counts

To that end, you must explain that your concentration has been on moving beyond implementing discrete defense disciplines – perimeter defenses, log management, vulnerability management, and endpoint security – and even Defense-in-Depth layering tactics, which have fallen short.

While these approaches have value, your board needs to know that ultimately they leave your enterprise with too many disparate systems; too many alerts with too little cause and resolution information; and no protection against zero-day threats that exploit unknown computer security vulnerabilities.

Relying on point systems or Security Incident and Event Management (SIEM) solutions also results in there being too much of a focus on how something bad happened, versus a proactive approach that involves understanding how current activity means that something bad is about to happen.

Your current plan emphasizes total, integrated security

Highlight the fact that your efforts instead now veer towards a holistic and adaptive security solution that can complement existing security deployments so that ROI isn’t sacrificed.

What matters today is a multi-layered security architecture that takes a “predict, detect, and neutralize” stance spanning premise-based, cloud and hybrid network environments.

Such an architecture should include:

  1. Real-time analytics
  2. Continuous expert monitoring
  3. Perimeter/interior protection
  4. Peer-level information sharing
  5. Operational ease of use

A modern, agile security architecture must include the ability to automatically recognize patterns in network behavior that let you find threats before they occur – a capability that can be enabled by adaptive behavior analysis and machine learning.

Experts suggest that your dialogues with the Board should be framed in the context of risk, which as businesspeople they’re primed to understand. So consider including in your presentation statistics that illustrate that risk and its cost, such as:

Then, help them understand how your revised approach to security is working in terms of defeating those risks. You can do that best by showcasing key performance indicators – such as the number of security attacks identified and repelled, the elapsed time from incident identification to remediation, control cost/effectiveness ratio – that help them quickly grasp the significant impact of your work and measure its success over time.

Given what’s at stake, it’s never been more critical for directors – and your company’s investors – to stay plugged into cyber-security threats and what you’re doing to address them. Considering the ease of access that hackers have to tools to do their dirty work – not to mention the criminal enterprise or state sponsorship behind so many attacks – this problem isn’t going away anytime soon.

Learn about Masergy’s Unified Enterprise Security (UES) solutions.

About Craig D' Abreo

VP, Security Operations, Masergy
Craig oversees the Managed Security, Threat Intelligence and Security Professional Services departments at Masergy. He is responsible for Masergy’s proactive enterprise cybersecurity threat management and operations program. Craig holds a bachelor’s degree in Computer Science and an MBA in Information Security. He is a Certified Information Security Systems Professional (CISSP) with over a decade of experience in the security industry and holds various network security certifications. He has written on various security blogs, spoken on a range of industry panels and is a recognized thought leader in the cybersecurity space.