# Opener

The CSO and Communication Prowess

Published by Scott Kannry

Welcome to Part II of Axio’s 2020 Resolution Series. We’re one week closer to some well-needed rest around the holidays and one week closer to the start of the 2020 sprint into a great year! As 2019 winds down, we hope that our Resolution Series can set priorities for the new year.

This week, our focus is on the Chief Security Officer (CSO), the person that the organization recognizes as being the most responsible for cybersecurity. For different organizations, alternative titles might be Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Chief Information Officer (CIO).

The Risk Communication Barrier

Let’s reflect on your experience as CSO in 2019 with respect to Board of Director meetings, budget discussions, and general organizational collaboration. Did you prepare for Board of Director meetings with updated heatmaps, threat and vulnerability reports, and a short list of things that you’ve implemented since the last Board meeting? How was that received? Was the Board engaged and enthusiastic about progress? Or were eyes glossing over and phones out within 3 minutes?

How were budgetary discussions this fall? When presenting your 2020 plan to the CFO, were you able to clearly convey your investments relative to risk reduced and get enthusiastic buy-in for your plan? Or did you get questioned as to why it seems that every single year, cybersecurity costs increase with no clear benefit?

How was dialogue and collaboration with your peers throughout the year? Did you have a robust partnership with the risk manager, perhaps frequently meeting over lunch and discussing how the fine-tuned insurance program would respond to major cyber losses that could happen to you? Or did you lament the week that you had to pull together a presentation, scrambling to talk to cyber insurance underwriters about your security program, all the while cursing under your breath about how insurance companies know nothing about cybersecurity and can’t be trusted?

If none of the above is true, you can chalk up 2019 to your best year ever from a cybersecurity leadership and recognition standpoint. Kudos to you! Keep it up.

On the other hand, if you are ending the year unfulfilled and despondent, our 2020 goal for you is to achieve more communication prowess and to ultimately be heard, recognized, and relevant.

Communicating the Need for Continued Cybersecurity Investment

Translating the technical complexities of cybersecurity to the business is challenging. Heat maps, threat reports, and vulnerability scans obscure the “so what?” Perceived as fearmongering, continually beating that drum about needing to do more is quickly losing favor. It’s time to elevate the conversation.

Where to start and what to do? Here’s the plan. Focus on understanding the financial side of cybersecurity and how to translate what you do to the daily cadence of the business. The easiest way to do that is to conduct a cybersecurity risk quantification exercise, so that you can speak in terms of the lifeblood of the enterprise – money!

Here’s a snapshot of how it works in practice:

  1. Understand the types of cybersecurity events that can occur based on how the business uses technology, and what the impact of those events could cost.
  2. Rank the narratives according to financial impact significance, and presto, you’ve translated the substance of your program into the currency senior management understands.
  3. Evolve and focus the conversation on the risk that you want to avoid and its relevance to the business.
    • Last year, you may have struggled to explain what is behind the yellow and red squares in the heatmap. Now you can confidently explain that addressing the yellow square is a wiser investment because it represents the potential cost of $100M event, in contrast to the potential impact of a $1M event behind that red square.
  4. Make recommendations based on risk reduction/protection ROI, a management team’s dream.
    • For example, is it better to make a $10,000 cybersecurity investment to eliminate a $10M type of event from occurring or a $15,000 investment to reduce the probability of a $250,000 event from occurring? Certainly the $10,000 investment is the better alternative, and now you can justify not making the $15,000 investment at all. Instead of spending $25,000 to turn boxes from red to yellow, you’ve invested $10,000 to eliminate $10M of cyber risk!

All told, utilizing a cyber risk quantification methodology can provide this level of insight, drive more effective decisioning, and finally establish yourself among the C-level execs at the firm. That’s communication prowess for cybersecurity—an achievable 2020 resolution for CSOs.