Tenable‘s Adam Palmer, Chief Cybersecurity Strategist, and John Salomon, FS-ISAC Director, Continental EU, Middle East, & Africa, explain the benefits of CFOs and other executives involving cybersecurity in their roles.
A commissioned study conducted by Forrester Consulting, on behalf of Tenable, found that currently only four in ten UK business leaders can confidently answer the question, “How secure are we?” There is a disconnect between business leaders, financial teams and security leaders in how they manage and communicate cyber risk. As such, cybersecurity needs to evolve as a part of the business strategy.
The Cybersecurity “Communication Gap”
Most mature businesses understand how to perform a basic assessment of the wide range of risks that impact their organisation. Cyber risk is often the exception. Cyber risk management is well established. However, business leaders, such as CFOs, don’t usually “speak” security, and techies don’t often know how to quantitatively measure, or explain, the degree of exposure to cybersecurity threats in a business context. As a result, the link between cybersecurity and the business can be lost in translation. Security is often seen solely as a cost to the business, rather than a means of preventing losses, or even a driver for increased revenue and overall success. Aligning the security programme to financial objectives improves understanding of value and drives support for corporate policies that support effective cyber risk management.
Cybersecurity Awareness – a Two-Way Street
Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO. Success depends on the rest of the organisation making an effort to also understand cybersecurity risk. This is not to say that a CFO must be a cybersecurity expert, as the onus is on the CISO to “speak the language of business.” Rather that financial leaders should at least have a fundamental grasp of cybersecurity. Using car ownership as an analogy, a driver does not have to know how to assemble an internal combustion engine. It is reasonable, though, to expect a competent driver to understand how to change a flat tire, check the oil level, and most crucially, when to listen to a professional mechanic.
Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO.
Most importantly, the infosec organisation must not be seen as a necessary evil. Rather than treating the CISO and their team as expensive alarmists, a CFO must make an effort to comprehend some of the basic concepts of cybersecurity, and the ramifications to the organisation’s finances of not having a capable, empowered security organisation. Furthermore, the cybersecurity organisation can only do its job effectively if their security risk assessment activities are backed by unambiguous, strong policies.
Seeking Clear Answers from the Security Team
The CISO must distil the highly complex topic of cybersecurity into concise, relevant messages without “dumbing it down” for business and finance leaders. While the CISO should present a measurable view of the organisation’s cyber risk exposure using internal and external comparative benchmarks, the CFO should ensure they understand the basics around:
- Where are we exposed?
- Where should we prioritise based on risk?
- How are we reducing our exposure over time?
Describing the target state of the security programme should be based on an understanding of risk, not blindly applying capability maturity levels. Organisations need the ability to identify and quantify their level of risk and exposure. This should be done in collaboration with the C-Suite. Cross-functional collaboration will turn the organisation’s security strategy into a “living” strategy, and ensures business alignment on priorities, costs, and needs.
Is compliance the end goal?
Many organisations will look to regulatory standards to determine their cybersecurity goals or “target state.” While there is value in meeting these baseline requirements, checking a box doesn’t necessarily equate to appropriate secure practices or addressing financial risk. Minimum, compliance-based security is not adequate security. Instead, organisations should work to really understand their critical assets, identify the vulnerabilities that affect them and create a security programme that addresses this.
By adopting a quantifiable approach to security that benchmarks internally and externally, and is aligned to business and finance objectives, it becomes much easier to define a target risk state and measure overall effectiveness. This also allows a firm to get a head start on meeting their regulatory requirements and improving communication with regulators.
CFOs need to work with CISOs in order to gain an understanding of their company’s security risk including the financial costs associated with it – both from a risk perspective, but also where technology investment might be needed. While finance can’t be expected to understand the technology or how it works, it is important to understand why it matters, including the role each new investment plays in closing the cyber exposure gap. To provide the level of detail needed to determine and reduce risks, the CISO needs to be able to determine, understand and report the following information to senior management:
- See: Complete visualisation of the entire modern attack surface allows anyone, from analyst to executive, to quickly understand and explore the organisation’s risk profile. This helps underpin the reasoning for taking action
- Predict – Advanced analysis and risk-based exposure scoring that weighs asset value and criticality, against vulnerabilities with threat context. This provides clear guidance of what to focus on first.
- Act – Exposure quantification and benchmarking enables effective comparisons of internal operations, and also allows this to be tracked against peers. This identifies areas of focus and suggests actions needed to optimise security investments.
Historically, cybersecurity initiatives are seldom aligned with business and finance objectives, but that must change.
Security leaders are challenged to prioritise where they focus effort — not just when it comes to vulnerabilities, but their entire cybersecurity strategy in general. By placing cyber risk management as part of an overall risk framework, business and financial executives can more easily assess whether best practices are being implemented effectively.
To do this, the CFO must work with the CISO to align cost, performance, and risk reduction objectives with business needs. This means providing a holistic understanding and assessment of the entire attack surface, with good visibility into the security of the most business-critical assets. The CFO should seek defined metrics and benchmarking processes, tied to business performance and process improvement from the CISO. Adopting this transparent, quantifiable approach will help the business understand cyber risk clearly, predict new threats, and act effectively.
The result is business-aligned security leaders that ensure their strategies are in lockstep with financial priorities. This collaboration with the CFO not only develops effective strategies and communicable metrics, but actually works to support organisational goals.