We recently had the rare opportunity to sit down with three cyber-experienced executives offering their views on cybersecurity and how to communicate cyber risk with the C-Suite and Board. Each of our panelists brings a unique perspective to the table, discussing how cyber security programs can be managed and what information actually helps them make successful decisions.
Check out our insightful conversation with:
Bob Dudley, retired group CEO of BP and current Chairman of Axio
Rex Thexton, Senior Managing Director of Global Cybersecurity Services at Accenture
Scott Kannry, CEO and Co-Founder of Axio
We’ve outlined some high-level insights from this discussion below and highly recommend you watch the webinar for the full context and essential details.
The “modern CEO” and making the right decisions: how to communicate cyber risk with the Board and C-Suite (or what to expect from your CISO if you are on the Board)
The “core challenge” CISOs face today is how to communicate program value to the Board. It is critical that the Board have the “right type of understanding” to make decisions because cybersecurity goes beyond technology; it is a business issue, an operational issue, and a fiduciary issue. Today, the notion of cyber risk belongs to the C-Suite execs and the Boards, and it is their duty to protect the business and ensure sustainability of the organization.
It’s a myth that success as a CISO is only possible if you can prevent every possible breach. The point of risk is realizing that something will happen. So how can leaders feel confident in making these pivotal decisions? All Board members have a role in addressing the financial impact an attack poses on the business.
At a high level, CISO/CEO/Board discussions should cover three main points:
- Where are we (current risk summary)
- Where do we want to go (planned risk summary)
- How do we compare to our peers (benchmark risk summary)?
If an attack happens, and it will, benchmarking can help you demonstrate where you’re successful in managing your programs and where you need improvement.
Transparent, defensible framework: what information will help you make successful decisions around cyber risk?
In today’s cybercrime landscape, Boards need to be “cybersecurity literate” and understand what the risks are. The only way to understand cybersecurity from a business perspective is to comprehend the financial implications. Business leaders must be able to determine how much and where to invest in defense against attackers, yet many CISOs struggle with being able to demonstrate the financial impact of a breach.
Therefore, a data-driven approach to cybersecurity is essential. A transparent, defensible framework can translate business context to risk assessment. To provide this type of data, financial impact and risk quantification play a vital role.
Quantification: traditional risk assessment is not enough
A data-driven approach to cyber risk assessment goes hand in hand with risk quantification. As threats continue to grow and evolve, it becomes more important to optimize security budgets. Simply buying the latest trending software tool from vendors is no longer the answer, and even with an unlimited budget, there’s still a high chance of getting breached.
How can you optimize your security budget? Quantification gives you defensible numbers to determine your budget and what initiatives should get funded or prioritized. Decisions on security initiatives, Bob notes, must be made the same way other decisions around risk are made, starting with the question “How much financial risk is acceptable?” Tools like Axio360 can help you determine priorities and make these decisions.
Continuous workflow process improvement: security is an ongoing issue
Just like with physical safety, Bob says, you need to have proper ongoing maintenance and stay “on top of it every single day.” Being compliant doesn’t reduce your attack surface. Compliance measures, for example, give you a checklist to complete, but it leads to a false sense of security, making people comfortable when they shouldn’t feel comfortable, Rex explains.
It would be irresponsible for a CFO to look at their balance sheet only once a year, and the same should go for CISOs, CEOs, and Boards when it comes to cybersecurity. Cybersecurity must be a continuous, ongoing process. Just as the threat climate continues to grow and change, so too should organizations change the way they react to the cyber threat landscape.
But where to focus your resources? Priorities in cybersecurity can be identified through quantification, which includes thinking about what decisions you should make to drive the results you want, and how much financial risk is acceptable for the costliest and most likely breaches.
Being reactive is no longer acceptable: successful cybersecurity is proactive
“They say, a near-death experience for large companies is what’s needed to shake it up and change culture, and we certainly had one,” says Bob referencing the BP Deepwater incident. “We had to act really fast to prevent…the end of the company, and I’m not exaggerating here,” he added. No organization wants to experience this “near-death” position, and it has become apparent that proactive cybersecurity risk assessment is the best way to avert a catastrophic breach.
Tools like Axio360, Bob continues, can really help organizations “get [their] arms around cyber risk.” You can proactively determine what your risk appetite is, prioritize security projects, and prevent or respond effectively to the inevitable cyber-attack coming your way.
Check out the full webinar with Bob Dudley, retired group CEO of BP and current Chairman of Axio, Rex Thexton, Senior Managing Director of Global Cybersecurity Services at Accenture, and Scott Kannry, CEO and Co-Founder of Axio.