SBN

4 Compliance And Risk Reports Every CISO Needs

By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today’s 40%. (Gartner). 

With cybersecurity rapidly becoming a board-level issue, many CISOs are faced with the same level of inquiry and scrutiny of a CFO or CEO. Cyber is no longer an abstract concept that can be assessed with the question ‘are we secure’ and a brief ‘yes’.  According to Gartner, successful CISOs are leaders, communicators, and managers and all CISO’s need to be prepared to convey the progress their organization is making to ensure the enterprise stays secure as it continues to grow.

Shifting the conversation from high/low risk to good/bad risk

The issue many CISOs face in the boardroom is that their mentality is often at odds with the CEO. Where the CEO wants to pursue rapid growth and expand the company, the CISO will see the risks inherent to that strategy and seek out ways to minimize them. In short – a CEO seeks to maximize, and a CISO seeks to minimize. Although, this dynamic is predicated on antiquated technologies that created silos within the security organization.

Effective CEO’s are trained to take the right business risks to drive growth. In order to get buy-in from their CEO, a CISO must reframe the inherent risks of new initiatives from a high/low model to a good/bad risk model. This shift requires a CISO to align their activities with business goals – instead of assessing risk through the lens of likelihood and impact, the good/bad risk framework looks at through the lens of value and appetite.

 CyberSaint_4reportseveryCISOneeds_1

71% of non-IT executives said that concerns over cybersecurity are impeding innovation in their organizations – Gartner

Don’t be seen as an impediment to business progress – by aligning cybersecurity activities with business goals and taking a good/bad risk approach, you can effectively communicate the impact of new initiatives and help non-IT executives understand the inherent risks.

The 4 Reports To Effectively Communicate With Key Stakeholders

As enterprise stakeholders take an increasing interest and concern about the security posture, the CISO needs to be able to convey their activities and success as effectively as a CFO can with a balance sheet and statement of cash flows. There are four recommended reports necessary to help you align your activities as a CISO with the goals and objectives of the enterprise: Executive Risk Report, Trend Report, GDPR Report, Global Report.

Executive Risk Report

An Executive Risk Report delivers a high-level overview of the company’s risk. There are three critical breakdowns within the report: risk by threat type, risk by business impact, and the data protection triad (confidentiality, integrity, availability).

CyberSaint_4reportseveryCISOneeds_2

 

Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk.

 

The data protection triad reflects the number of controls implemented to protect each dimension. With emerging integrated risk management (IRM) systems like the CyberStrong platform, CISO’s are able to see each dimension in order of priority based on the number of controls employed for each. Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk. 

 

A CyberStrong Executive Risk Report also delivers a risk report breakdown for control families. As CyberStrong is built on the NIST frameworks, this chart is delivered through the lens of NIST’s 800-30 breaking controls into detect, identify, protect, recover, respond. This chart also reflects the amounts of residual risk, remaining risk, and mitigated risk.

 

Finally, a CyberStrong Executive Risk report includes a more granular breakdown of the risk posture by control family. Each family is assigned a CyberStrong score which impacts the risk scoring itself. Unlike the charts above, this table breaks the categories of risk down further: inherent risk (total risk by family), residual risk (risk that remains after some implementation of controls), opportunity (the amount of risk that remains to be mitigated). This table can help you convey the critical aspects of your security program to other executives and see need-based priorities.

CyberSaint_4reportseveryCISOneeds_3

Trend Report

The CyberStrong Trend Report uses CyberSaint’s patented technology to deliver a CyberStrong score – a rollup of all assessments in the environment and the number of active assessments ongoing. Further, the Trend Report shows the number of assessments and controls updated and number of users logged in in the last week. This report will help you display the ongoing progress your organization is making to keep the enterprise secure and is a perfect jumping off point to discuss more granular activities with non-technical stakeholders.

CyberSaint_4reportseveryCISOneeds_4

The CyberStrong Trend Report also includes ore granular tables to show the strongest and weakest points in each active assessment. As with the granular table in the Executive Risk Report, these tables use the CyberStrong score combined with a breakdown of inherent risk, residual risk, remediate risk, and opportunity. These breakdowns will help by revealing weak points in specific control families and help you and fellow senior leadership prioritize remediation.

CyberSaint_4reportseveryCISOneeds_5

The CyberStrong Trend Report also delivers overviews of progress on assessments and updates made to controls in one month, three month, six month, twelve month time periods. The Trend Report is your month over month and year over year progress statement and helps you relay the operations of your organization to the Board and CEO.

GDPR Report

General Data Protection Regulation (GDPR) has been a Board level concern since its enactment in May 2018. As seen with Facebook, the first major infringement, in September 2018 GDPR is a critical concern from both a security and business standpoint. The CyberStrong GDPR Report uses CyberSaint’s list of controls and actions to ensure compliance and increase visibility into GDPR posture on an ongoing basis.

CyberSaint_4reportseveryCISOneeds_6Reflected in a radar graph comparing the enterprise’s posture against the GDPR standard, CISO’s and stakeholders get fast insight into their compliance.

The radar graph is followed by a granular table as seen in the Trend and Executive Risk Reports. This table delivers a deeper view of each control family, matched with a CyberStrong score, and breakdowns of inherent risk, residual risk, remediated risk, and opportunity. 

The CyberStrong GDPR Report also delivers completed and comprehensive breakdowns of each control necessary for GDPR compliance. 

 

CyberSaint_4reportseveryCISOneeds_7

GDPR marked the first legislative correlation of cybersecurity and business operations – and was a very public call to align business and security strategies. The CyberStrong GDPR Report allows CISO’s to easily deliver an in-depth review of their enterprise’s GDPR posture to key stakeholders across the organization.

Overview Report

The fourth critical report necessary to reflect a CISO’s alignment with business strategy is a complete Overview Summary. A CyberStrong Overview Summary provides a complete report into an enterprise’s entire assessment environment

Highlighted throughout the overview is the CyberStrong score (using CyberStrong’s risk model) –  the first being a roll-up score of all active assessments ongoing. The following table delivers a brief overview of each ongoing assessments, their progress to date, the CyberStrong score, owner and when it was last updated. For CISO’s delivering information of ongoing progress to the CEO and stakeholders, this table is critical.

CyberSaint_4reportseveryCISOneeds_8

Similar to the Executive Risk Report, the Overview Summary also delivers bar chart breakdowns of risk report for business impact, risk report for threat type and data protection priorities for the data protection triad.

CyberSaint_4reportseveryCISOneeds_9

CyberSaint_4reportseveryCISOneeds_10The Overview Summary also delivers a CyberStrong score, a framework description, and radar graph for each assessment. The radar graph compares the current status of the enterprise posture against the target score of the assessment. Further, the Summary delivers a risk report for control families and data protection priorities for each assessment as well as individual control details.

The most comprehensive report necessary for CISO’s, the Overview Summary gives stakeholders a deep view of the security posture of the enterprise and helps illustrate alignment of new business initiatives and the risks that arise as a result.

 

Be prepared

Cybersecurity increasingly becomes a Board-level matter, CISO’s need the ability to report on their progress and activities as efficiently as a CFO can with a balance sheet and statement of cash flows. The four compliance and risk documents (Executive Risk Report, Trend Report, GDPR Report, and Overview Summary) do just that – these reports empower a CISO to effectively communicate their operations to the CEO and Board. With a shift from a high/low to good/bad risk mindset, a CISO presents themselves as what they always were – an asset to business operations.

By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today’s 40%. (Gartner). 

With cybersecurity rapidly becoming a board-level issue, many CISOs are faced with the same level of inquiry and scrutiny of a CFO or CEO. Cyber is no longer an abstract concept that can be assessed with the question ‘are we secure’ and a brief ‘yes’.  According to Gartner, successful CISOs are leaders, communicators, and managers and all CISO’s need to be prepared to convey the progress their organization is making to ensure the enterprise stays secure as it continues to grow.

Shifting the conversation from high/low risk to good/bad risk

The issue many CISOs face in the boardroom is that their mentality is often at odds with the CEO. Where the CEO wants to pursue rapid growth and expand the company, the CISO will see the risks inherent to that strategy and seek out ways to minimize them. In short – a CEO seeks to maximize, and a CISO seeks to minimize. Although, this dynamic is predicated on antiquated technologies that created silos within the security organization.

Effective CEO’s are trained to take the right business risks to drive growth. In order to get buy-in from their CEO, a CISO must reframe the inherent risks of new initiatives from a high/low model to a good/bad risk model. This shift requires a CISO to align their activities with business goals – instead of assessing risk through the lens of likelihood and impact, the good/bad risk framework looks at through the lens of value and appetite.

 CyberSaint_4reportseveryCISOneeds_1

71% of non-IT executives said that concerns over cybersecurity are impeding innovation in their organizations – Gartner

Don’t be seen as an impediment to business progress – by aligning cybersecurity activities with business goals and taking a good/bad risk approach, you can effectively communicate the impact of new initiatives and help non-IT executives understand the inherent risks.

The 4 Reports To Effectively Communicate With Key Stakeholders

As enterprise stakeholders take an increasing interest and concern about the security posture, the CISO needs to be able to convey their activities and success as effectively as a CFO can with a balance sheet and statement of cash flows. There are four recommended reports necessary to help you align your activities as a CISO with the goals and objectives of the enterprise: Executive Risk Report, Trend Report, GDPR Report, Global Report.

Executive Risk Report

An Executive Risk Report delivers a high-level overview of the company’s risk. There are three critical breakdowns within the report: risk by threat type, risk by business impact, and the data protection triad (confidentiality, integrity, availability).

CyberSaint_4reportseveryCISOneeds_2

 

Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk.

 

The data protection triad reflects the number of controls implemented to protect each dimension. With emerging integrated risk management (IRM) systems like the CyberStrong platform, CISO’s are able to see each dimension in order of priority based on the number of controls employed for each. Within the risk by threat type and risk by business impact, each bar chart reflects the volume of residual risk, remaining risk, and mitigated risk. 

 

A CyberStrong Executive Risk Report also delivers a risk report breakdown for control families. As CyberStrong is built on the NIST frameworks, this chart is delivered through the lens of NIST’s 800-30 breaking controls into detect, identify, protect, recover, respond. This chart also reflects the amounts of residual risk, remaining risk, and mitigated risk.

 

Finally, a CyberStrong Executive Risk report includes a more granular breakdown of the risk posture by control family. Each family is assigned a CyberStrong score which impacts the risk scoring itself. Unlike the charts above, this table breaks the categories of risk down further: inherent risk (total risk by family), residual risk (risk that remains after some implementation of controls), opportunity (the amount of risk that remains to be mitigated). This table can help you convey the critical aspects of your security program to other executives and see need-based priorities.

CyberSaint_4reportseveryCISOneeds_3

Trend Report

The CyberStrong Trend Report uses CyberSaint’s patented technology to deliver a CyberStrong score – a rollup of all assessments in the environment and the number of active assessments ongoing. Further, the Trend Report shows the number of assessments and controls updated and number of users logged in in the last week. This report will help you display the ongoing progress your organization is making to keep the enterprise secure and is a perfect jumping off point to discuss more granular activities with non-technical stakeholders.

CyberSaint_4reportseveryCISOneeds_4

The CyberStrong Trend Report also includes ore granular tables to show the strongest and weakest points in each active assessment. As with the granular table in the Executive Risk Report, these tables use the CyberStrong score combined with a breakdown of inherent risk, residual risk, remediate risk, and opportunity. These breakdowns will help by revealing weak points in specific control families and help you and fellow senior leadership prioritize remediation.

CyberSaint_4reportseveryCISOneeds_5

The CyberStrong Trend Report also delivers overviews of progress on assessments and updates made to controls in one month, three month, six month, twelve month time periods. The Trend Report is your month over month and year over year progress statement and helps you relay the operations of your organization to the Board and CEO.

GDPR Report

General Data Protection Regulation (GDPR) has been a Board level concern since its enactment in May 2018. As seen with Facebook, the first major infringement, in September 2018 GDPR is a critical concern from both a security and business standpoint. The CyberStrong GDPR Report uses CyberSaint’s list of controls and actions to ensure compliance and increase visibility into GDPR posture on an ongoing basis.

CyberSaint_4reportseveryCISOneeds_6Reflected in a radar graph comparing the enterprise’s posture against the GDPR standard, CISO’s and stakeholders get fast insight into their compliance.

The radar graph is followed by a granular table as seen in the Trend and Executive Risk Reports. This table delivers a deeper view of each control family, matched with a CyberStrong score, and breakdowns of inherent risk, residual risk, remediated risk, and opportunity. 

The CyberStrong GDPR Report also delivers completed and comprehensive breakdowns of each control necessary for GDPR compliance. 

 

CyberSaint_4reportseveryCISOneeds_7

GDPR marked the first legislative correlation of cybersecurity and business operations – and was a very public call to align business and security strategies. The CyberStrong GDPR Report allows CISO’s to easily deliver an in-depth review of their enterprise’s GDPR posture to key stakeholders across the organization.

Overview Report

The fourth critical report necessary to reflect a CISO’s alignment with business strategy is a complete Overview Summary. A CyberStrong Overview Summary provides a complete report into an enterprise’s entire assessment environment

Highlighted throughout the overview is the CyberStrong score (using CyberStrong’s risk model) –  the first being a roll-up score of all active assessments ongoing. The following table delivers a brief overview of each ongoing assessments, their progress to date, the CyberStrong score, owner and when it was last updated. For CISO’s delivering information of ongoing progress to the CEO and stakeholders, this table is critical.

CyberSaint_4reportseveryCISOneeds_8

Similar to the Executive Risk Report, the Overview Summary also delivers bar chart breakdowns of risk report for business impact, risk report for threat type and data protection priorities for the data protection triad.

CyberSaint_4reportseveryCISOneeds_9

CyberSaint_4reportseveryCISOneeds_10The Overview Summary also delivers a CyberStrong score, a framework description, and radar graph for each assessment. The radar graph compares the current status of the enterprise posture against the target score of the assessment. Further, the Summary delivers a risk report for control families and data protection priorities for each assessment as well as individual control details.

The most comprehensive report necessary for CISO’s, the Overview Summary gives stakeholders a deep view of the security posture of the enterprise and helps illustrate alignment of new business initiatives and the risks that arise as a result.

 

Be prepared

Cybersecurity increasingly becomes a Board-level matter, CISO’s need the ability to report on their progress and activities as efficiently as a CFO can with a balance sheet and statement of cash flows. The four compliance and risk documents (Executive Risk Report, Trend Report, GDPR Report, and Overview Summary) do just that – these reports empower a CISO to effectively communicate their operations to the CEO and Board. With a shift from a high/low to good/bad risk mindset, a CISO presents themselves as what they always were – an asset to business operations.

*** This is a Security Bloggers Network syndicated blog from CyberSaint Blog authored by Alison Furneaux. Read the original post at: https://www.cybersaint.io/blog/4-compliance-and-risk-reports-every-ciso-needs