By Christophe Veltsos, PhD
April 5th, 2016

Board directors and top leadership are under pressure to get a handle on cybersecurity risks. While the “security problem” isn’t new, it has ballooned into a top agenda item for most organizations today. On a positive note, it means that boards, management, and senior security staff are having conversations around cybersecurity risks, and how to align those with the needs of the business. However, the ongoing list of data breaches making headlines almost every day implies that those conversations are not being as fruitful as they need to be.

Establish security objectives, policies and roles.
Establish security objectives, policies and roles.

A large gap exists between what those in the cybersecurity trenches know, and what management and the board are told about those activities and projects. In today’s environment, it is no longer acceptable to have a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to simply give us their “word” that security is under control. Boards and management are asking more probing questions, and it’s about time. In response, CIOs and CISOs need to be better explain how money and resources are being spent. In making the case for their budgets and proposed risk mitigation activities, however, CIOs and CISOs need to steer clear of techno-babble or risk losing their executive’s and board’s attention and support.

To assist management and board directors, a Spencer Stuart article entitled Cybersecurity: The Board’s Role defined key questions for how board directors can assess their organization’s current handling of cybersecurity risks:

  1. Does management have “a clear and consistent understanding of cybersecurity relative to the business?”
  2. Does management understand its responsibility in this domain, and particularly whether management has “an adequate system of controls in place?”
  3. Is the cybersecurity budget appropriately funded?

The problem that boards and management face is understanding a fairly foreign topic to them, about which they are supposed to make decisions to ensure the continued cyber health of their organization. In the past, security could ask for and receive sizeable security budgets without being able to show the impact of this funding on the organization’s ability to handle risks. In today’s environment, management and the board are eager to show that they are not ignoring their responsibilities to customers, shareholders, and even government watchdog agencies, but also show that they understand a right size approach and budget to protect the business from risks.

How can management communicate to the board that it has “a clear and consistent understanding of cybersecurity relative to the business?” How can management demonstrate that it has “an adequate system of controls in place” and that the cybersecurity budget is adequately funded?

In a report entitled Cyber Risk ‐ Getting the Boardroom Focus Right, Deloitte outlined a key attribute of organizations deemed to be at the highest level of cybersecurity risk governance: that “cyber risk management and reporting become ‘business as usual.’”

How can we have engaging, challenging conversations about the organization’s cybersecurity activities? How can we make sure the topic of cybersecurity becomes part of “business as usual” for management and the board?

We shift the conversation away from individual cyber-related projects (such as perimeter defenses or antivirus) and towards an approach that is understandable, logical, repeatable, reliable, and robust. This approach exists – it’s called MAPP: Maturity Assessment, Profile, and Plan. We first group similar security controls and activities into processes, or a high-level business view of a group of related security activities (such as user access control or governance). From this perspective, an organization looks at the maturity of its security processes, and then tracks, reports, and has engaging conversations on its handling of security risks. Security management can show the C-suite that it’s doing the right things the right way. The C-suite can be on the same page, without having to go to cyber school.

For board directors and top leadership, there is no escaping from their responsibilities to tackle cybersecurity risks. What is needed is an approach that will bring focus and clarity to the discussions about cybersecurity to ensure that the right decisions are made. The organization’s future depends on it.

Don’t delay, download and read our MAPP approach today.