It's almost a tradition in cybersecurity circles to say the Board of Directors' ignorance or indifference on the topic is one of the biggest impediments an organization must overcome to have better security.
But is this still the case? Barry O'Connell, Trustwave’s General Manager for EMEA, discussed this topic several years ago, Continuing the Conversation on Cybersecurity as a Business Risk, and we thought it was time to revisit the issue to see if CISOs and other decision makers have managed to bridge the gap with the Board.
The conclusion is that the situation is still evolving, but in a positive direction. However, there is room for improvement, so O'Connell shared several strategic approaches cybersecurity leaders can use to communicate with and demonstrate value to their boards effectively.
Question: Are board members now more in tune with cybersecurity?
O'Connell: I do believe Board members are becoming more attuned to cybersecurity requirements, compliance mandates, and the genuine threats posed by threat actors.
However, there is a bit of a blip, in some cases, of Board's comprehension of the danger. While awareness is growing, the depth of understanding can vary significantly, sometimes even with the help of the people tasked with keeping the Board informed on value. Help is sometimes needed to understand not merely the technical necessity of security, but security as a fundamental enabler of business objectives.
Q: What is the best way to communicate value to a board of directors?
O'Connell: That last point brings us to the next issue. We have met business leaders at the CIO and CISO levels who are seeking guidance on how to communicate the value of cybersecurity spending to their board members.
Our methodology to accomplish this goal has evolved over time, and Trustwave is now using Executive Business Reviews (EBR). EBRs take the raw data our team has developed from the client and use it to create an easily consumed point-of-sale tool that is full of impactful insights directly associated with their organization.
The EBR will assess and demonstrate the costs to the organization of hiring security professionals to handle the necessary security tasks compared to if this were performed internally.
It's a very simple PowerPoint deck focused on the maths, showing what the cost would be to hire the required number of people working 24/7 instead of bringing in an outside source. My ambition is that EBRs become a deliverable that we hand to a CISO or CIO who will use it when talking to their Board or other stakeholders.
This EBR's return-on-investment demonstration can be quite powerful. It quantifies the resources saved and the potential losses avoided if an attack were to occur.
Q: What additional techniques does Trustwave employ to help inform the Board?
O'Connell: The financial numbers are always helpful to a Board, but detailing the threat their organization specifically faces is an even stronger hand to play. To accomplish this, we arm the CISO with the information to do some storytelling around the implications of a successful attack.
Boards often are more responsive when we remove the transactional element from the discussion and rely on real-life details and potential problems.
Once our team has access to an environment, we can determine exactly the dangers involved. Trustwave is a huge proponent of this type of Offensive Security approach in general, proactively finding malware or vulnerabilities that can be exploited. Then, we match those issues to the potential threat actors, nation-states, or hacker groups that we know are using these exact tactics to attack similar organizations.
Then we showed how we understood the group's behavior and went about stopping it. This paints a vivid picture of the real and present danger that is out there.
Q: What are some of the remaining stumbling blocks when it comes to CISO-Board communications?
O'Connell: While this is better in some cases, my view is that the communication skills of some cybersecurity professionals are still problematic.
Many CISOs have risen through highly technical ranks and may not have extensive experience articulating complex security concepts to a non-technical executive audience. Luckily, a significant portion of CISOs recognize this gap and are actively seeking to improve their communication prowess.
A Trustwave EBR can act as a crucial tool for a CISO, providing a piece of collateral that can help translate technical findings and recommendations into a language that resonates with business leaders.
It's also crucial to frame cybersecurity as a business enabler rather than purely a technical challenge and expense. A Board needs to understand that the business cannot efficiently function or may even face a potential financial disaster if security is not prioritized.
Q: Charts and PowerPoint slides have their place in this discussion, but is there a way for a CISO to physically demonstrate these talking points to a Board?
O'Connell: I believe witnessing a simulated cyber crisis firsthand through red team exercises or tabletop simulations can be far more impactful than abstract presentations.
For example, Trustwave conducted a tabletop exercise with the UK Ministry of Defense that included high-ranking military officials who, despite their strategic acumen, were largely unaware of the nuances and potential impact of cyber warfare until participating in a crisis simulation. The tabletop exercise showed them what would transpire, and we have found this helps foster a more proactive security culture at the highest levels.
Q: Any final words of advice for a CISO scheduled to talk to the Board about their organization's cybersecurity needs?
O'Connell: It is important to show a clear return on investment when discussing cybersecurity expenditures. CISOs must demonstrate the cost savings of outsourcing 24/7 security operations versus hiring an in-house team, which can make the financial value tangible. Additionally, highlighting concrete achievements, such as thwarted ransomware attacks or mitigation of critical vulnerabilities, helps boards understand the practical benefits of their security investment.
