Building Board Confidence in Cybersecurity Risk Assessment
By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
As high-profile breaches continue to hit the headlines, exposing companies to reputational and financial damage and triggering lawsuits over required fiduciary responsibilities, cybersecurity risk assessment remains firmly at the top of the agenda for corporate boards. So it’s a disturbing fact that surveys show up to 87% of board members and C-suite executives lack confidence in their organization’s level of cybersecurity.
Addressing that lack of confidence is already the biggest challenge that many CISOs and other security professionals face. If you haven’t yet climbed that mountain, you almost certainly will—and relatively soon. I recently came across Gartner Inc. research showing that, by 2020, 100% of large enterprise CISOs will be asked to assess cyber and technology risk for the board at least once a year.
Allow me to emphasize that startling statistic: Within two years, security professionals at essentially every large company (and a significant number of medium-sized ones as well) will have to regularly describe to skeptical board members the effectiveness of their cybersecurity risk assessment strategy—in terms that the board can understand and translate into corporate decisions.
Today, many are not well-equipped for that task. “There’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey,” as Gartner research director Rob McMillan put it in that research report. “It’s critical that security and risk management leaders supply board-relevant and business-aligned content that is not hampered by overly technical references.”
To quote from an EY analysis of the board’s evolving role in cybersecurity risk assessment, “Board members we talk to find that their prime challenge in this area is obtaining relevant, objective and reliable information, presented in business-centric terms. This affects board members’ ability to understand the risks facing their organizations and evaluate management’s response to these risks.”
CISO in the Hot Seat
For CISOs, the question is how to provide the information that boards need. The problem is not as simple as eliminating overuse of technical jargon—although that can certainly generate glazed stares from non-technical board members. The larger issue, I believe, is that CISOs lack the evidence they need to provide objective and reliable information—and to measure in a board-comprehensible way how effectively the company’s cybersecurity strategy addresses its biggest business risks.
Here’s a painful real-life experience recounted by a CISO at one large multinational financial-services company. Summoned to the boardroom to discuss the company’s cyber risk assessment strategy, he waited anxiously in the hot seat.
The board asked him a single question: “Are we safe?”
His answer: “I think so.”
As you can imagine, that vague-sounding statement didn’t sit well with board members worried about corporate exposure—and their personal liability—at a company responsible for handling sensitive financial information in millions of transactions every day. After an uneasy silence, one of the directors probed one level deeper: “Well, what do you mean, ‘you think so’?”
The CISO explained that he thought his team was doing a good job—but it was hard to quantify in business terms. Furthermore, he had no way to reliably compare the company’s management of cyber-risks with other companies—he had to rely on anecdotal evidence shared by his peers, but couldn’t validate whether what they were saying accurately reflected their company’s real security practices or how effectively their efforts mitigated their company’s business risks.
Communicating Cyber Risk Assessment Maturity to the Board
That CISO’s story helped spark the idea for the CMMI Cybermaturity Platform, which we subsequently developed to address precisely these challenges relating to objective evidence. Of course, his experience is far from unique: During the development of the platform, we interviewed hundreds of other senior security professionals who described similar frustrations, helping us shape the platform to meet their needs.
At one level, the CMMI Cybermaturity Platform addresses the challenge of communicating a cyber maturity assessment to the board in terms they understand: How it mitigates enterprise risk. But we believe its value is much broader than that. It helps to focus and drive the company’s entire cybersecurity strategy to address those risks.
The process starts by defining the company’s unique risk profile, including the company’s biggest cybersecurity risks and the potential severity of their business impacts. These risks differ by industry and by company, depending on factors such as the company’s business focus and risk tolerance. One company’s biggest fear may be a breach that exposes consumers’ information; for another, it may be theft of intellectual property or compromise through third parties. The platform then engages the company’s staff in documenting everyday security practices. It rolls up the risk and practice information into a comprehensive cybermaturity assessment, organized into broad security capabilities—and it compares the maturity of those capabilities with the target maturity required to address the company’s most important risks. This assessment is presented visually in simple bar charts, making it easy for board members to immediately grasp the company’s current and target levels of cybersecurity maturity.
Further, the CMMI Cybersecurity Platform is updated every six months to reflect the changing threat environment and emerging best practices. Enterprises can have confidence that their assessments up-to-date and reflect current needs.
The platform enables CIOs and CISOs to provide concrete evidence to answer not only the question “Are we safe?” but also others that the board is likely to ask, such as “Where are we most exposed?” and “What will it take to advance the company’s security to a point where we have responsibly responded to our primary risks?” It also lets security professionals drill down into the underlying information, when necessary, to answer more detailed follow-up questions about the company’s cyber risk assessments.
The platform also supports benchmarking—within industry sectors, regions, or companies of a similar size, for example. That can answer other board questions, such as “How well protected are we compared with other companies?”
By comparing the current maturity of cybersecurity capabilities with their target states, the platform provides a simple, clear way to show the board where the company should invest its limited resources to mitigate the biggest risks. Internally, the platform drives development of security capabilities, acting as a bridge that translates corporate priorities into cybersecurity strategy, builds a common understanding across the whole organization, and focuses security initiatives on the most important business risks.
CISOs can then use the same platform to track improvements in cybersecurity maturity over time and show the board exactly how the company’s security investment decisions have paid off.
Giving the Board the Information They Need
Cybersecurity maturity is likely to become an even higher-profile board concern over the next few years, as companies increasingly use technology to transform their business and new threats and vulnerabilities continue to surface. Board members are seeking objective, evidence-based cyber risk assessment information to overcome their current lack of confidence in cyber risk management programs. More than ever, CISOs will need to be able to provide that information in language that the board can understand, and to demonstrate how the company’s investment mitigates its most serious enterprise risks.