In recent years, boards have become more interested in understanding the level of risk in their organisations and whether the CISO (Chief Information Security Officer) and security teams are doing all they can to defend against potential threats.

In fact, according to Gartner's recent 2021 survey, cyber security vulnerabilities were identified as the second largest source of risk to a business, surpassed only by regulatory compliance risk.

As interest in cyber security increases at board level, CISOs should be prepared to speak to their boards regularly to communicate the level of risk their organisations face and raise awareness of the types of preventative measures being taken to reduce that risk.

The need to invest preventively in cyber security

CISOs should communicate to the board that while the organisation may have the right security tools, the right security team, up-to-date processes, vulnerabilities may not be discovered until organisations have the time and resources to investigate the incident on their own systems.

In addition, solutions installed in AT infrastructure and complex networks, such as IoT, can be difficult to update without affecting day-to-day business. Organisations often run outdated software, which can leave "doors" open for malicious parties.

As a result, preventative cyber security is a fundamental pillar for organisations to strengthen their protective posture, identify unknown threats and defend against internal and external vulnerabilities.

Communication on cyber security with company boards

To help empower your board to understand your organisation's cybersecurity risk through information security, CISOs should be prepared to address the following key areas.

• Describe the type of cyber security assessment that is carried out in the company

Often, CISOs start by jumping immediately to descriptions of the organisation's risk level, but the recommendation is to take a step back and start by describing what kind of cyber security assessment IT teams perform to identify the risk in the first place.

Describe for the board whether the threat is something easily defined and identified, such as a known vulnerability, or something more sophisticated, such as an advanced persistent threat.

Discuss whether it was discovered through routine penetration testing or the security team was investigating a specific application. Address the likelihood that the vulnerability has already been exploited. If it hasn't been exploited yet, discuss the likelihood of your organisation being targeted by cybercriminals.

Organisations that handle highly regulated data or have intellectual property sought are more likely to be targeted than others. This background provides important context to help the board better understand the severity of the risk facing the organisation.

• Detail the potential impact of threats. 

It is also important not only to describe the risk, but also to explain to the board the potential impact of that risk to the company if it were to be exploited. An external vulnerability in the organisation is usually a more serious problem than an internal vulnerability.

But CISOs must also educate the board on how a relatively small internal vulnerability can be leveraged by cybercriminals to create a bigger threat in the future.

For example, smart cybercriminals will chain vulnerabilities, using low or medium value information to gain access to more high value data, exploiting user access and authorisation vulnerabilities to move up the chain.

This is why it is important for cyber security teams to further explore the security stack when conducting penetration testing, as this allows them to discover the real impact of a vulnerability by seeing what data and systems attackers can get into.

• Identify the internal processes that can mitigate the risk. 

When discussing cybersecurity risk with the board, a frequent question to CISO's is whether they should accept the risk rating assigned by a third-party partner or instead use a risk rating determined by the internal security team.

The recommendation is to stick to the risk rating provided by your third-party partner. This rating is based on the cleanest and most independent analysis possible and provides a snapshot of the actual risk the organisation faces before the security team has implemented any compensating controls.

CISOs should highlight to the board the steps that can be taken to mitigate the risk in their environment. It is also important to understand that in many cases, although the risk may have been mitigated, the original conditions that created that vulnerability in the first place may still exist in the organisation.

Each time the organisation undergoes change - such as during a merger, acquisition or when adding a new third-party contractor - the landscape changes. The compensation controls you put in place to mitigate a risk today may not be effective tomorrow.

CISOs should work with the board to help members understand other factors, such as organisational processes or employee behaviours, that affect risk.

• Provide practical remedial solutions that fit the budget. 

Often, third-party security providers not only help identify the vulnerabilities and cybersecurity threats an organisation faces, but also provide advice on how to fix the problems and recommend which protection products to buy.

CISOs must remember that they are the ultimate decision makers, and it is their responsibility to know their budget and what will be appropriate for the board of directors as they seek to control spending. CISOs should always conduct due diligence and even consider hiring a third-party company to help them conduct an independent evaluation of security products to determine what is needed.

Often, organisations do not need to buy the most sophisticated enterprise security products, and they may not have the right training or level of expertise in their security teams to maintain such products.

Some common cybersecurity risks can be fixed with a change to a registry key or with Active Directory. In other cases, an organisation can get more value and better protection from a managed security service.

When talking to their boards and outlining the remedial measures they plan to undertake, CISOs should be prepared to address how they fit into the budget.

Ultimately, much of the discussion around cybersecurity risks, testing and remediation efforts will depend on the risk tolerance of the organization. Those operating in highly regulated industries will have a lower tolerance for risk and be more willing to allocate budget for ongoing testing, monitoring and mitigation.

All CISOs, regardless of the sector in which they operate, must be prepared to face increasing scrutiny from their boards.

In its research, Gartner estimated that 40% of boards will have a dedicated cyber security committee in the next four years - a significant increase from the less than 10% they have today.

Being prepared to describe the type of cybersecurity strategy in place, the potential business impact of identified risks, and how these efforts align with budget will allow CISOs to steer their advice in the right direction and strengthen their organisations' overall cybersecurity posture.