CIOs and CISOs will inevitably have to accurately answer the holy grail question from the C-suite: Are we 100% secure?
Now, how does a security-conscious leader answer such an important question in a practical, business-focused manner? Here are some of the Do’s and Don’ts of answering this important question:
Do’s:
- Instead of saying “we are 100% secure,” socialize and educate the C-suite on the term cybersecurity risk management. Indicate that the threat landscape continuously evolves and to think of cyber risk management as a journey, not a destination. Instead, focus on the risk appetite they are willing to accept, given the many limitations based on company size and associated budget and resources.
- For presentations, have no more than five slides when presenting to the board/leadership team. Talk in terms of risks to the business in the event of a potential security breach. Indicate the important/critical business systems and communicate impact to business operations, given the current and future threat landscape.
- Explain how saying “we are 100% secure” does not measure cyber risks effectively and, also how cyber maturity and risk management are the KPIs of the organization’s cybersecurity and risk programs. As a security leader, it’s imperative to explain that from the start.
- Use security and compliance certifications as a secondary measurement to communicate cyber risk management. Indicate that these are absolute must- haves, but only form a security baseline. Again, communicate in terms of cyber maturity and risk management of critical business assets and potential impact to business.
- Use tools/technologies to indicate cyber maturity and risk management of critical assets and what it means in terms of potential business impact. Also, explain why the organizations needs to invest in tools/technologies that integrate cyber maturity and security risk management metrics in conjunction with the broader enterprise risk management metrics in the context of overall business risks. The board and CEO are well-versed with business risks and will understand this approach.
Don’ts:
- Never say: “we are 100% secure.”
- Showcase a few, key metrics in presentations to the board and CEO. Don’t mislead them by offering too many metrics.
- Don’t use industry security and compliance certifications to indicate that the organization has 100% security – even if these potentially serve to falsely bolster the team’s personal confidence. Consider the certifications the baseline of the program.
- Don’t use the plethora of tools/technologies and transpose a dollar value to justify the “100% secure” narrative. Big budgets do not necessarily equate to being fully secure.
Security teams also have to think in terms of answering the same types of questions from business partners and customers. With that in mind, here are some important takeaways to consider:
- Stay proactive with the CEO and board. Educate them in terms of how the company wants to measure cyber risk management performance. Do this from the first meeting and at every subsequent meeting.
- Take this proactive approach with customers and business partners. It’s important to make many of these same points with customers, partners, prospects and as well as internal and external stakeholders.
- Stress security awareness training programs. Educate the organization in terms of what makes sense in cyber risk management and what doesn’t. Set the context from the executive management down, across the rank-and-file of your entire company.
- Leverage industry-accepted tools and technologies. Explain how the new technologies to illustrate cyber risk management and cyber maturity metrics, with respect to the organization’s critical business assets.
Security leaders should not only showcase “shiny” slides, but also about how well security leaders can articulate and effectively communicate with all relevant stakeholders on how the cyber risk management program performs. And by all means, try to acquire the necessary budget and resources to run an effective program to get as close to the utopian “100% security” as possible.
Lokesh Yamasani, director of information security; Shamyo (Sham) Chatterjee, chief information officer, Linksys