Cyber In The Boardroom: A Reporting Framework

Cyber Security Getting The Board's Attention

It wasn't very long ago that cybersecurity was primarily seen as just an IT issue and rarely received the attention of senior executives and boards. Many healthcare executives have either lived through an incident or seen the countless news headlines about organizations feeling the painful sting of lapses in cybersecurity. The cascading impacts of these lapses that include operational, legal, safety, and financial consequences have put cyber on the radar of many CEOs and boards.

A 2018 survey of CIOs conducted by HarveyNash/KPMG, found that board interest in cyber had risen by 23%, with only 22% indicating they felt their organization were well prepared for a cyber attack.

Beyond the internal drivers for better board oversight of cyber risk, there is growing regulatory pressure pushing corporate boards to increase their cybersecurity expertise. Regulators such as SEC chairman Robert Jackson's are recommending that boards ensure "internal controls, policies, and procedures that make sure that information on the ground in the company, about any cyber issues, makes its way up to the c-suite and the boardroom..."

Obstacles 

The Language Barrier

While CEOs and boards are taking a more active interest in cybersecurity, there remain significant obstacles that prevent proper oversight of cybersecurity risk. One of the biggest challenges is the language barrier that exists due to the overly technical nature of cybersecurity. Historically CISOs have struggled to translate the technical metrics and jargon-filled language of cybersecurity into reports that help boards gain a real understanding of the organization's risk and the financial impact of incremental increases in cybersecurity investments. 

A 2016 board member survey report from Osterman Research found that just over half (54%) felt that information they received from IT and security leaders is too technical, and often includes:

1. A complete list of vulnerabilities within the organization
2. Details on data loss
3. Downtime caused by data breach incidents

The same survey found that 85% of board members felt IT and security executives need to improve their board reports. 

A 2018 survey of CEOs and boards conducted by Deloitte stated, "cyber risk reports often focus on technical details and technological risks. Yet CEOs and board members could benefit from—and be more engaged by—cyber risk reporting and assurance that focus more on business risks and impacts."

In a recent Wall Street Journal article, enterprise risk management expert and E-Trade board member James Lam warned technology and security leaders about presenting "silly" metrics to their boards. Lam also said, "...too many chief information security officers and chief information officers go to board meetings lacking perspective about how cyber risk is but one factor to be weighed in overall corporate strategy...CISOs and business executives should go beyond seeing cyber risks in technical terms and weigh the risk of, say, a data breach against the opportunity in a given digital endeavor for adding customers or increasing revenue." 

The Osterman Research study concluded that "As cybersecurity takes a new priority in the C-suite, it has led to more attention from the board of directors. IT and security executives are expected to report cyber risk metrics to the board that enables them to make informed decisions." The report cited three things that boards want from IT and, security executives:

1. Reports with understandable language that do not require board members to be cyber experts
2. Quantitative information about cyber risks
3. The progress that has been to address the company's cybersecurity risk

Lack of Cyber Performance Reporting Standards

Unlike other well-established business domains with generally accepted reporting practices and methods, cybersecurity lacks an authoritative source that establishes standards and policies for measuring and reporting performance. As a result, IT and security leaders are often left to their own devices to determine the "right metrics" to include in their reports, ultimately guessing about the amount and type of information that warrants board attention. 

Over the years, we have had countless conversations with CIOs and CISOs trying to solve this very problem. 

RiSO: A Cyber Governance and Board Reporting Framework

While there no shortage of cybersecurity frameworks and guidance for boards, we did not find one that did an adequate job of addressing the needs of boards by providing organizations a comprehensive and coherent view of their cyber risk landscape. This gap in the market is what we set out to address when we created the RiSO framework. 

What is RiSO?

RiSO is a governance and board reporting framework for cybersecurity.

RiSO Principles and Goals 

When creating the RiSO framework, we had a few core principles and goals in mind:

• The KISS principle - Keep it as simple as possible.
• Allow for a comprehensive and balanced report.
• Improve communication and transparency.
• Compliment (not replace) existing security and risk management frameworks.

Three Perspectives for a Balanced View 

The RiSO Framework provides three complementary but unique perspectives of an organization's cybersecurity program. These are the RISK perspective, the STRATEGY perspective, and the OPERATIONS perspective.  

Risk Perspective

The risk perspective provides visibility into the risk associated with the organization's current cybersecurity posture. To ensure risk is being evaluated and communicated effectively, proven risk quantification methods are a MUST.

Examples of items to report:

• Top risks w/ exposure (e.g. ALE) - (known knowns)
• Risk blind spots (the known unknowns)
• Risk analysis methods
• Risk breakdowns (top threats, assets, etc.)

Relationship with the other two perspectives:

Risk measurements should be used to support both strategic and operational priorities and decisions.

Strategy Perspective

The strategy perspective is about the actions needed to make quantum improvements to security operations and preparing the organization for the future.

What are strategic issues?

Generally, we can put strategic issues into two buckets:

• Issues that can have a material impact on the organization's ability to execute its mission or achieve its objectives
• Issues that can have significant financial or patient safety risks

Example of items to report:

• Summary of the cyber strategic plan (e.g., priority issues, objectives, strategies, etc.)
• Strategic initiatives budget (may incl. peer benchmark)
• Progress towards strategic objectives
• Status of plans/initiatives
• Emerging issues (threats, changes in the business, etc.)

Operations Perspective 

The operations perspective provides information about the performance (efficiency and effectiveness) of our current systems and processes.  

Examples of items to report:

• Operational performance measures across related domains: 
  • Risk Management
  • Security
  • Compliance
• "Keep The Lights On" Budget (benchmark)
• Headcount (benchmark)

Types of measures/metrics

• Leading and lagging performance indicators
• Maturity models
• Capability models
• Key Performance Indicators (KPI), Key Risk Indicators (KRI), Key Control Indicators (KCI)

Relationship with Risk perspective

• Information from the Operations perspective should feed risk analysis (e.g., control capabilities, incident frequency, etc.). 
• Risk information can be used to help prioritize issues in a risk register. 
• Risk information can be used to determine if additional controls/resources are needed. 

Relationship with the Strategy perspective

• Operational capabilities should be considered in strategic planning.

Conclusion

Cybersecurity leaders that want to be more than just "techies" need to improve what they include in their reports, and how they deliver it. They also need to demonstrate that they can think strategically about cybersecurity and how the organization's cybersecurity program should align with the organization's mission and objectives. 

References

IIARF - What The Board of Directors Need to Ask

NACD - Cyber Risk Oversight Handbook

NACD - Cyber Risk Oversight in the Boardroom Infographic

PWC Global State of Information Security Survey

IIA Position Paper: The Three Lines Of Defense In Effective Risk Management and Control