Bringing Security Intelligence to the Board

Josh Lefkowitz

Josh Lefkowitz

Data breaches are costly. According to a recent study conducted by The Ponemon Institute, the average breach costs an organisation $3.86 million. A separate study found that, although the share price of breach-affected companies shows its sharpest drop 14 days after the breach is made public, there’s still a discernible impact on the organisation’s stock valuation three years post-event. Josh Lefkowitz delves further into the detail.

Business impacts at this level affect the fundamental financial performance and sustainability of an organisation, which means cyber security must no longer be considered an IT issue. Rather, it’s a matter for the Board in its role as custodian of shareholder value.

By managing cyber risk as part of the overall organisational risk strategy, Boards can put it into a commercial context and drive the cultural awareness of risk that’s essential to promote cyber resilience across the business.

Elevating cyber risk management to Board level is not without its challenges, though. We’re still very much in the midst of a shift in mindset from a technology-centric to a business-centric view of cyber threats. This can result in a disconnect. Many Boards find it difficult to interpret the information they receive from the IT team, while many IT functions struggle to understand what data the Board really needs to carry out effective oversight.

This challenge was underlined by recent EY interviews that found difficulties “obtaining relevant, objective and reliable information presented in business-centric terms…[and this] affects Board members’ ability to understand the risk facing their organisations and evaluate management’s response to these risks.”

This area is where the evolving role of the Chief Information Security Officer (CISO), sitting between the business and the Board, requires a mix of skills. CISOs need both technical expertise in analysing and interpreting threat metrics and technology performance and the ability to apply these skills in a broader business context for Board directors such that they can deliver strategic cyber risk oversight and governance for the business.

From numbers to narrative

While Boards are increasingly factoring cyber skill sets into their succession planning when recruiting new Board members, most current Board directors don’t have deep experience in cyber security. This means that any metric-based reporting should be simple to interpret, including auditable figures that provide an overview of the organisation’s security posture.

Reports should also be framed in terms of the impacts specific security incidents have on the business. For example, a DDoS attack might cause reputational risk, operational risk and strategic risk. Of course, the flipside of risk is compliance, so the Board also needs to know how cyber security incidents could impact data privacy and governance.

It’s the role of the Board to challenge senior management robustly in order to deliver effective oversight. That being the case, CISOs should be ready to answer questions around the organisation’s cyber security maturity and the frameworks established to manage emerging threats.

However, while numbers and frameworks are valuable in helping Boards evaluate and audit cyber risk posture, when it comes to setting a risk-aware culture, directors really need deeper context around the types of threats specific to their organisation. If Board directors are given a window into the environment, tactics and motivational psychology of actors that target their sector and business, they can better understand the risks themselves. Once that has been achieved, Board directors can become an asset to the CISO in promoting a cyber risk-aware culture not just as a tick-box exercise, but because they have genuine appreciation of the factors – and, indeed actors – in play.

To achieve this Board-level buy-in, CISOs need to move from numbers to narrative in order to drive the message home. This is where business risk intelligence provides the context that helps bring risk to life.

It’s undoubtedly useful for senior leaders to understand the frequency and type of the cyber attacks the business experiences, but it’s also valuable for them to know the extent to which the organisation is the topic of conversation in the illicit online communities that initiate those attacks.

Deep and Dark Web forums, chat services and other platforms are often where cyber criminals discuss tactics to defraud or infiltrate the organisation. These types of venues are also where company secrets, Intellectual Property and stolen data may be offered for sale. An overview of the company’s profile across the Deep and Dark Web, as well as other illicit online communities, and the kinds of tactics that are being discussed is a powerful way in which CISOs can help directors gain context to understand what the business faces.

Illustrating third party risk

Third party risk, including supply chain weaknesses, is a hot topic among Boardrooms as businesses realise that keeping their own house in order is not enough. Intelligence gleaned from illicit online communities can also be used to illustrate potential weaknesses in – or threats posed to – partner organisations. This intelligence can help Boards meet objectives to manage supply chain risk.

Successful cyber risk oversight by company Boards of Directors relies on them receiving a combination of auditable metrics, risk impact assessments and contextual information, in turn enabling them to provide informed oversight of cyber risk.

Greater understanding of the threat actor environment also assists Boards in leading a risk-aware culture across the business, moving from a tick-box approach towards a genuine cultural shift.

Josh Lefkowitz is CEO of Flashpoint

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts