A CISO’s Guide to Communicating Risk

On average, it takes 212 days before a data breach is detected. According to Financer Worldwide, the average breach costs $18.5M and can cause you to face fines and a loss of reputation. Another cost is the loss of trust of your customers and the public, and the consequences last much longer than a single security incident. With this in mind, it is imperative that the Chief Information Security Officer (CISO) is prepared for worst-case scenarios while driving the appropriate forms of communication with C-level executives. In our recent webinar, A CISO’s Guide to Communicating Risk, Exabeam Senior Product Marketing Manager, Mike Moreno, talked with Exabeam CISO, Tyler Farrar, about how CISOs can effectively communicate risk to their organizations. 

Major causes of a breach

According to Niel Daswani, author of Big Breaches: Cybersecurity Lessons for Everyone, there are six major causes of breaches. It is vital that CISOs are able to articulate these major causes to other C-level executives: 

• Software vulnerabilities
• Malware
• Inadvertent employee mistakes
• A third-party compromise 
• Unencrypted data
• Phishing

Once you understand the major causes of breaches, it helps to tie these into metrics and Key Performance Indicators (KPIs) so that other executives can visualize the impact that each of these vulnerabilities could have on the company. Tyler asserts, “Your ability to translate those metrics to tell a story is really important. That story does change or is told differently based on who you’re talking to — if you’re talking to the CEO, the CIO, the CFO, etc., you do have to tie your story to the risk. With a risk-based data-centric approach, you should be talking about the risks to the most critical areas of the business.”

How do you answer the question, “How secure are we?”

Tyler goes in-depth on how CISOs can answer when asked, “How secure are we?” He believes in using a risk-based data-centric approach. Tyler states, “If you’re taking that approach, you’re focusing on the critical infrastructure and or the critical data services that are supporting or running your company’s core products and services. It’s what’s making your company money. It’s what’s allowing your company to grow. It’s what’s allowing your company to exist in the first place. So now, you’re at least focused on the right things. From there, you have to start to define what’s the overall risk posture of those critical products and services. What risks are driving the overall posture to the IT systems that support those products and services?”

Tyler also mentions the importance of highlighting positive things, such as “What kind of risk reductions have occurred? Show that there has been an improvement. Talk about what is a work in progress. What is the long-term journey to turn that platform or that environment or that product to ‘green.’” 

Communicating risk to the CFO

When talking to the Chief Financial Officer (CFO), help uncover cost-saving opportunities and contextualize the value of security investments and how they can minimize future losses. Tyler emphasizes the importance of focusing on metrics, stating, “They (metrics) do tell that story. It does provide visibility to the CFO on why investments are needed. I would tie those across those root causes of breaches that I mentioned earlier. If there’s intense pushback, saying, ‘We don’t have the money to be able to pay for this, to invest in this,’ that should be part of your formal risk acceptance program as part of your larger enterprise risk management program. You have to gain risk acceptance for the nos. And, so if you’re walking through this it’s not just saying, ‘I need this money’ or ‘there’s a risk here.’ But you have to show and walk through that whole process via your risk-based data-centric approach.”

When talking to the CFO, make sure to use examples and metrics. Tyler gives an example of how to talk to the CFO, stating, “I’ve calibrated this risk. I have security champions. I have my GRC team. I have all these technical subject matter experts (SMEs) saying, ‘this is a big deal.’ I’ve communicated the likelihood and impact of this risk occurring, which in this case is most likely going to be high. You’ve now requested funding to remediate the risk. And you’re telling your story and telling them exactly how you’re going to do it. ‘I need this money to invest in X, Y, and Z in order to remediate this risk, and this is how I’m going to do it.’ And, if those financial resources still aren’t available, then the CFO or CEO in some cases needs to formally sign off on that risk. It’s no longer within the CISO’s control if there’s legitimately no funding available or if it’s a hard no.” 

Additionally, Tyler highlights how giving examples of how you have saved the company money can be a great way to communicate the value of cybersecurity to the CFO. Tyler says, “If you’re able to show the CFO that you’ve saved $100,000 over the quarter or over the month because you shut down seven systems that were running 24/7 in perpetuity, that’s a great story to tell as well.” 

Communicating risk to the CHRO

Human resources (HR) is an important stakeholder in an executive security incident response strategy. An insecure workplace erodes trust, lowers morale, and diminishes a culture of excellence. A robust and intelligent security apparatus can supply the insights HR teams need to support internal investigations.

Tyler stresses the importance of “being able to introduce a more formal investigation process for insider threats. And it’s not just, ‘Here’s the process.’ It’s a tight collaboration to develop that process of when can the security operations team or the insider threat investigations team have a little bit more autonomy to conduct an investigation into a potential insider threat. And then when is that trigger made to escalate to your human resources department? And then, what does the actual investigation look like as well as the obvious sit down with the individual? And so it’s a really good idea to develop that initial process and sit down with the CHRO and HR team to walk through that.” 

Tyler also mentions the importance of developing a security incident response plan, stating, “Everybody has an opportunity and or a responsibility specifically when there’s a major crisis or breach to execute what I call the executive security incident response plan. So outside of the roles, it’s really critical to develop one if you don’t have one today. It’s really important to have an overall crisis management team or a crisis management function and have processes defined for ‘How do I activate? How do I deactivate that team? Who is part of that core team? How often are we meeting? How often are we exercising?’”

In this webinar, Tyler Farrar discussed the key ways a CISO can communicate risk to other executives. He mentioned the importance of a risk-based data-centric approach focused on critical infrastructure and metrics to tell a story. Keep in mind that the way you tell the story changes based on who you’re talking to. Make sure you’ve properly calibrated each risk within your organization and then leverage all of those executive partnerships to exercise your security incident response plan. Lastly, ensure everyone understands what their roles and responsibilities are when a breach occurs. 

Learn more about Communicating Risk

For more information, watch the full on-demand webinar and read the accompanying white paper.