“Are we secure?” is a common question that a Board of Directors will often ask their CISO.
As mutual owners of the organization’s cybersecurity strategy, it is important for the CEO, CIO, and the CISO to gently communicate that this is the wrong question for a board to ask.
Answering “yes” is most likely a partial truth at best as every CISO can tell you that their program is not as far along as they would like it to be. For instance, what if there is a breach the very next day? “Yes” is never the right answer, even for solid cybersecurity programs. To be truly secure is an ideal state that no program can achieve.
“No” is a bad answer, too – as the board may respond by shifting from governance into an operational management role which the CISO most definitely does not want the board attempting to fulfill.
Asking the Right Question
A better question would be “Are we addressing known risks within our tolerance levels?”
This question signifies program maturity in two ways:
- Risk tolerance is defined, understood, and measured.
- Known risks are captured and assessed versus an internal standard.
This question includes the notion that unknown risks might arise and that no security program can definitively claim to have captured all risks to the organization.
But “material risk” means very different things in a 10-K or 10-Q filing than it does for most security practitioners. CISOs must learn to speak to risk in terms with which a board is already familiar. There are many standards and methods for calculating and measuring cybersecurity risk with varying degrees of mathematical accuracy and alignment with other measurement systems for older business risks such as security and fraud risk, regulatory risk, operational risk, financial risk, and reputational risk.
Consulting the CFO, General Counsel, or Chief Risk Officer (if that role exists) can go a long way for the CISO. Look to models like the Sharpe Ratio, earnings at risk (EAR), maximum probable loss and value at risk (VAR), and economic value of equity (EVE) for ideas on how materiality is defined. These methods of measuring and reporting financial risk have been around long before cybersecurity entered the equation and speak not just to potential loss of revenue or reserves but to the overall value of an organization.
Those seeking to measure and articulate cybersecurity risk should take note.
It is not specifically necessary to include any of these exact methods in the CISO’s calculus, but rather an understanding of their outcomes and what they seek to convey is imperative.
Understanding and Addressing Risk
At the end of the day, CISOs should perform business impact analysis and understand risk in terms of likelihood and impact, ultimately achieving a consistent measure of materiality. This is easier to assess for some types of risk (regulatory fines) than other kinds of risk (reputational damage), but estimates can be agreed upon by the business based on analysis of common business factors and statistics derived from the outside world.
Starting with a simple ordinal likelihood and impact scale (usually a 5×5 matrix) is an acceptable approach to the operation of managing cybersecurity risk. More accurate (but complex) methods such as the Factor Analysis of Information Risk (FAIR™) by the FAIR Institute exist that leverage more mathematical approaches to risk measurement. Other open standards such as Monte Carlo simulations and Bayesian probability math exist as well. If the organization chooses to use one of these more complex models, only the results and a firm statement that the model is applied consistently must be shared with the board, not the details of the measurement.
Material risks can then be stack ranked and a tolerance threshold ratified. Once that threshold is established, a risk register should be compiled with an order of operation – tackling the risks above that line either in order of materiality or even in order of capability.
It is acceptable that all risks are not actively addressed if specific plans exist to address them.
If the right risks are addressed or scheduled to be addressed in a meaningful and planned way, then the CISO and the board should be satisfied.
“Are we addressing known risks within our defined tolerances?” “Yes.” The right question is asked, and the right answer is given.