How CISOs Can Successfully Talk Security to CEOs

It would be funny, if it were not so frustrating, that two individuals so intent on managing risk don’t understand one another. But that is the fundamental problem between business and security leaders. The gap is so huge that bridging it may seem nearly impossible. Yet, it can be done.

Here’s some much-needed illumination on why previous attempts to close the gap have resulted in bridges to nowhere—and how to fix that.

Understanding the C-level Perspective

“The fact that cybersecurity is a board issue is yesterday’s news,” said Nik Whitfield, CEO of Panaseer, a cybersecurity data analytics company. “While there is lots of data available, the puzzle that CISOs are trying to solve is how to bring this information together to show the board the picture they need to see.”

It’s like both sides are speaking a different language. The first step in effectively communicating with the CEO and board is to understand their risk language.

“As a CEO, my key concerns are growing the business and increasing shareholder value. As it relates to cybersecurity, I want a holistic picture, not a discussion of the latest technologies,” said Scott Kannry, CEO of cyber risk management company Axio.

Kannry noted his most valuable framework for understanding CISOs is to ask them to answer these four questions:

  1. Do we know our risk and fully understand the dollars and cents involved? Have we taken a sampling of scenarios, put various operational and functional staff around a table and used their collective knowledge to estimate what each of a variety of events could cost?
  2. Do we use a maturity-based cyber evaluation framework and align it with the scenarios quantified in the previous step?
  3. Do we maintain the resources and financial ability to recover from a meaningful event? Do we have the right balance of financial reserves and insurance to pay for as much (or all) of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets and others? How do we understand how much insurance to buy? See Step 1.
  4. Do we benchmark our organization against others, possibly a peer group?

In short, CEOs and board members are looking for the bigger picture in risk calculations.

According to The Cyber Balance Sheet survey of more than 80 board members, CISOs and subject matter experts, “Board members were five times as likely to cite ‘risk posture’ as a key security metric compared to CISOs. They are also 13 times as likely to say the same about ‘peer benchmarking’ – showing boardrooms’ greater concern for the big picture.”

That same report found that board members are inundated with security data and often just assume CISOs have things under control. Hence, they tend to “tune out” and simply expect the CISO to keep everything secured. So when something does go wrong, all fingers point to the CISO—an untenable situation, to say the least.

Speaking in Business Tongues

“When discussing cybersecurity risks with the CEO, or the C-suite in general, it’s critical to bridge the gap from purely technical to business terms,” said Brad Arkin, CSO at Adobe. “Remember that top executives have to prioritize many aspects of the business, including investor expectations, revenue and profit, brand equity, employees, etc., so it’s your job as the CISO/security expert to illuminate the business case for security in a broader business risk management context.”

Specifically, this means dumping technical metrics and scare tactics from the conversation. Instead, focus on calculating risks in terms of business impact.

“As far as how risk is determined, the key is not to think primarily in terms of technical metrics, such as unpatched OS vulnerabilities or average password strength, but in terms of business impact,” advised Nir Gaist, founder and CTO of Nyotron, a security products and services provider. “What is the probability that bad thing X could happen to us? What is the business consequence of X? What is a possible way to calculate the financial impact of that business consequence?”

Tips and Pitfalls

Here is a quick list of dos and don’ts from your peers to help you build a conversation framework that will truly connect your message with the powers-that-be:

  • Speak to risk/reward appetites, not in absolutes. Businesses cannot survive, let alone prosper, if all risk is eradicated. “CISOs can fall into the trap of an engineering mindset that seeks technical perfection. This can undermine credibility and set up unfulfillable expectations. And it misses the central reality of business, which is that risk is essential to reward,” said Gaist.
  • Understand how your company makes money, and speak to that. “Effectively translating technical risk into business risk terms means you have to understand how your company makes money. A web-based company selling to consumers is going to be far more sensitive to web-server vulnerabilities than will a B2B logistics firm,” said Kip Boyle, founder and CEO of Cyber Risk Opportunities, a risk management consultancy and service.
  • Expect disbelief of your numbers, present them strategically. “Remember that no one believes the numbers on your deck right out of the box, and you’ll wind up in a debate over how good those numbers are. Instead, use numbers sparingly. If someone wants more numbers from you, let them ask for them,” said Gaist.
  • Set up a business report rather than a security report. “CEOs and other C-levels all follow clear forecasting, tracking and reporting. The closer the CISO can align to this methodology, the more impactful they will be,” said Tom Pageler, chief risk officer and chief security officer at Neustar and  formerly chief risk officer at Docusign and deputy CISO/executive of global security and investigations director at JPMorgan Chase.
  • Make the impact more personal. Whatever you are describing or pitching, bring the point closer to the audience’s personal domain. “For example, if the discussion is with the VP of Sales, describe sales forecast impact. If the discussion is with the CFO, discuss the exposure to lawsuits and other activities that will stem from a breach and cause additional monetary damages,” said Jason Sinchak, CTO of mobile security company Sentegrity and CISO of Emerging Defense, a cyber-security penetration testing and breach investigation consulting firm.

Now you’re all set. Go forth with confidence, speaking in business terms and with the understanding that there is no “us versus them”—there is only “we.”