Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

6 Tips Any CISO Can Use to Inform their Organization’s Executives on Cybersecurity

A Chief Information Security Officer is a person who is always in a tough spot. Not only is a CISO responsible for the day-to-day safety of their organization, but they must be able to explain to the C-Suite what is going on from a cybersecurity perspective and do so in language that the other executives understand.

After all, what a CISO has to say is all about protecting the business from threats to its computer system and reducing risk, items that need to be on every corporate management agenda.

The concept of protecting an organization from a cyberattack is quite well known. Attacks happen daily, are covered by the mainstream news so it makes sense that those occupying the C-Suite would be well versed in understanding this potentially existential danger to their organization.

But, this is not always the case. Many people occupying this rarified place in the business world bring different skills to the board room, skills that not necessarily technical, and many may simply have not had the time to learn the ins and outs of cybersecurity.

To help those CISOs struggling to find the right combination of words and tactics we sat down with Rob Horne, Principal Consultant, Cyber Advisory at Trustwave, who offered up some tips.

1. Why do so many executives still lack a solid grasp of the dangers that exist?

Some of this, I think, has to do with the fact that those in the C-Suite believe their internal resources are sufficient to handle the security issue and are more concerned about costs. To rectify this a CISO must speak in the right language.

As an industry, we’re awash with acronyms and new technical terms for the latest piece of technology, then we wonder why nobody understands us. We need to use language that translates to an executive’s vocabulary and knowledge.

To give an example from the world of finance, the meaning of ‘net income’ is straightforward, but if I said EBITDA would I expect you to know what I meant? However, this is only half of the story; we need to take a more holistic view and provide the context, as executives also need to understand who is a threat and why.

2. What are the most common security topics that higher level executives don’t, but need to understand? 

The most common problems that can be incurred by a cyber incident are disruptions to the business/productivity; being unable to transact business for a period of time; the impact this has to the bottom line; and finally, the impact to customers; that being the loss of goodwill and reputation.

Potential impacts and outcomes can start from minor technical disruption to loss of the entire business, personal regulatory fines and even custodial sentences. That’s not meant to be a scare tactic, it’s a realistic estimation of extreme consequences, and when planning for disaster it’s wise to plan for the worst.

While we may be in the twenty-first century the online environment is still very much akin to the old Wild West: lawless, dangerous, and uncertain. Operating with a sufficient level of resilience takes internal effort and resources, and these requirements also need to be communicated and understood to those who run the company.

3. What are a couple of key talking points a CISO needs to keep in mind when briefing the C-suite?

First, cybersecurity isn’t a point in time, it’s an ongoing issue. After all, bad actors don’t go away after you address vulnerabilities on any given day. Second, communicating the depth and breadth of knowledge required to stay up to speed with what is happening in the world of cybersecurity.

There are no simple solutions in such a fast-paced, evolving world, there is no silver bullet; this means information must be presented as a journey with no pre-defined destination. This is an important point because, as a CISO, you will need to ensure your audience isn’t expecting you to solve the big issues, but at the same time, they need to understand continually fixing the small issues is a required and valid approach.

Along similar lines, make them aware that the latest all-singing, all-dancing technology is not a panacea, as it may not be the right tool for your business. Its functionality may be achievable with existing tools, it may require new staff or existing staff to learn new skills to manage.

Furthermore, cyber resilience requires a layered approach, many controls backed by policies and procedures, working together in harmony. A CISO will need to explain to the C-Suite their role is to spin hundreds of plates at the same time where just one falling could bring the rest crashing down.

4. Risk Appetite is a popular phrase tossed about now to describe how a company should determine the extent and expense it is willing to incur to protect itself. Can you give a brief definition of Risk Appetite and how an organization can go about determining its Risk Appetite?

Risk is a combination of factors: how likely is it to happen, what will the impact be, are we vulnerable to it occurring. But it gets a little more complicated when you consider one vulnerability can have an effect on multiple risks, and two small risks combined could lead to a more serious impact. Only when you’ve worked out a quantitative way of defining risks can you move forward.

However, this step is not easy. Understanding and determining an organization’s risk appetite is complicated enough that we will dedicate our next blog to the topic.

5. How important is it to have cybersecurity metrics on hand when conducting a C-Suite briefing? What are a few of the most important metrics the board needs to understand?

Metrics need to tell a story and that story can be about how you’re trying to hit a constantly moving target, which is evolving while the organization is changing how it reacts. However, metrics need to be understandable, so clarity and simplicity is key; trying to get too many messages into a metric will devalues it, if the messages are worth telling split them up and tell them separately.

But metrics can do a lot more. Many metrics are operational in nature, they show what has been done; outcome-driven metrics should be used to tell a story about a business objective, provide context and be qualitative in nature. From the CISO’s perspective, metrics can add value to the decision-making process in terms of budget and resource requests, as they will clearly demonstrate how you are going to achieve a corporate objective and what you need to do so.

6. How can a CISO faced with keeping their C-Suite up to speed improve and how can Trustwave help in this endeavor?

Keep the message front and center, test their understanding and add to their knowledge. Today, more than ever, the need for cyber resilience remains critical in a constantly changing environment.

The past few years have seen a move away from centralized physical facilities to the work from home culture, while at the same time this has changed the traditional cyber defenses with the increasing reliance on cloud and the need to tale a zero trust approach. Reporting to the C-Suite is the CISO’s method to validate their value, demonstrate progress and publish achievements; metrics are the tools that bring this to life, let Trustwave help you get the most out of what you say.

Trustwave has many years’ experience in helping organizations achieve a high level of cyber resilience across multiple industries. Because of this, we can help CISO’s assess, improve and test their security, but also help present the value these activities are bringing to the organization.

Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More