By Tim Fleming

Tim Fleming

Cyber risk is now nailed firmly to the board table. A seemingly never-ending procession of high-profile data breaches and attacks causing operations to grind to a halt has seen to this. Fighting for priority amongst other business siloes has become less of a problem for the CISO.

However, a perennial issue that still holds cyber-risk back in the boardroom is that of communication. Interactions can still sometimes feel like they’re taking place in different languages, or are focused on disparate objectives, something the accomplished security leader is now conscious to avoid.

Clouds on the economic horizon make this even more important. As a slowing global economy weighs on sentiment, the people, processes, and technology which make up a security leader’s risk posture come under the microscope. Questions are asked about priorities. Both channel leaders and the CISO are having to work harder to justify where chips are laid.

CISO Communication Tips

Against this background, understanding how the macro-economic climate has an impact on how CISOs communicate with the board becomes even more important.

Organisational impact as a unifying language. Now more than ever, a common language is crucial. As the economy tightens, so does the focus of the organisation on what is truly important — operational uptime, customer trust, reputation, regulatory compliance and, typically, the ability to continue generating revenue.

This is the lens through which discussions must be had. Channel partners with a clear understanding of this come into their own. It’s not about cyber-risk, but operational risk. In an economic downcycle the point must be made that, while the root cause of the problem might be micro, the impact could be macro. However, with the devil lying in a fragmented tangle of technical details far abstracted from operations, this is often lost in translation.

Take Colonial Pipeline, for example. The shutting down of the pipeline was caused not by a direct attack on OT systems, but a knock-on effect of billing infrastructure being compromised and a fear of lateral movement into critical areas. Imagine trying to convince a board in advance that such a seemingly tangential risk would ultimately stop 380m litres of oil from flowing, every day. Doing so would have required a mastery of big-picture storytelling, just enough technical nuance, and a need to not appear a scaremonger.

Making an effective cost argument for risk initiatives. In contrast to being able to articulate big-picture impacts, security leaders in challenging economic cycles also need to articulate and defend the finer details of how they are prioritising investment. OPEX will invariably come under the spotlight as the security function is quizzed on potential cost savings.

Against this backdrop, working closely with security leaders to help them communicate the bang for buck from specific defensive capabilities is important. CISOs will be breaking out the cost of security initiatives line item by line item to highlight how much risk is addressed by each, so management teams can better understand the impact of expenditure. This is where risk frameworks can be a useful tool. By summarising how a seemingly fragmented set of security initiatives mesh to secure operations, it better communicates where security tools can perform best. Just as importantly, it highlights where exposure will occur should cost savings be sought.

Take, for example, identity programs. A strategic approach to identity is an increasing part of board-level conversations because it represents a highly effective investment against a broad swathe of cyberattacks. While, to date, conventional controls have only covered small sections of the identity threat surface, security teams are waking up to the wholesale risk-reduction benefits that can be achieved by understanding where these gaps lie and preventing malicious access. Doing so stifles lateral movement, stopping threat actors from …

… carrying out a wide range of attacks. By working with the CISO to highlight the return on investment from identity security initiatives, both channel and security leaders will be in a stronger position when faced with board-level scrutiny.

CISOs are also equally making the important case in such conversations for protecting the workforce as much as possible. During tough times, it’s tempting for senior teams to cut heads to make quick cost savings. While this represents a short-term gain on paper, the lost investment in people will be hard to replace when the inevitable upswing occurs and will require an expensive and lengthy process down the line. It is crucial to position people as a cost-effective defensive investment, rather than an overhead expense. For the channel, this may initially seem to provide competition for budget dollars, but empathising with the need to take a longer view is crucial to maintaining important relationships.

The importance of senior stakeholders. The final piece of the puzzle is the importance to the CISO of stakeholder management. Understanding which members of the senior team have influence, directly or otherwise, over budgets and strategy is increasingly important.

For an overview of where influence needs to be applied, start with a map of the people who the security function has a bearing on and vice versa, whether technical or otherwise. With this, the CISO can bring these people in early to the decision-making process to ensure joint ownership of any proposed strategy or initiatives. Disgruntled stakeholders ask difficult questions and cause friction, and it’s often the result of a lack of understanding about where cyber-risk fits into their area of operations. This is avoided with clear, transparent conversations. A CISO who takes the time to educate the right people will enjoy a far smoother path at board level.

Strategic Approach Important to Justify Resources

The debate around communicating with the board isn’t a new one for channel and senior security leaders and both have advanced leaps and bounds in articulating the importance of a strategic approach over the last few years. Current market conditions, however, add pressure as they intensify the need to justify resources.

Understanding the pressures on a CISO and helping them collaborate with their target audience to frame communications in business terms, and being aware of where investment can be applied for maximum impact, puts everyone in good stead to weather the worst of it.

After retiring from Deloitte, Tim Fleming now works as a cybersecurity adviser and an IT strategy, governance and operations consultant, with emphasis on industries including media, financial and professional services. He currently is working closely with Silverfort. You may follow him on LinkedIn or the company @silverfort on Twitter.