It’s a common misconception: that reducing the risk of cyber attacks is about hiring skilled security staff backed by the latest, up-to-date security systems and services. The catch, of course, is that many organisations don’t realise this until they have suffered a security breach at which point the issue of hiring people and buying equipment suddenly becomes the board’s number one priority.
One of the most cited reasons for this is that boards are reluctant to spend money on cyber security until after the fact. Why does this happen? Most likely because the board hasn’t understood the operational implications of a cyber attack or hasn’t had the issue explained to them in terms they can relate to. Given how dramatically the risk of cyber attack has risen over the last decade, this is understandable. Even experienced security professionals have been caught out by the surge in disruptive cyber crime.
What matters is to bridge the gap with boards by arguing the case for investment using terms of reference they can process. In large organisations, this falls to roles such as CISOs, CTOs or CIOs, while in smaller organisations it’ll be the head of IT or a similar role. Although some of the language will be different between these environments, the principles remain the same.
Use simple language
Board members are appointed for their business experience and background rather than cyber security or IT knowledge which means the first task is to develop a common language and set of concepts through which to discuss the issue. A lot of board members’ knowledge of cyber security issues will come from reading about incidents in the media that focus on the impact. For this audience, technical arguments and jargon don’t cut it and it is better to explain an organisation’s security as a series of protections around layers, for example, users, data, devices, applications, the network, and cloud assets. The message is that cyber attacks attempt to breach multiple layers at once which is why each must be defended on a 24×7 basis using specific policies and technologies.
Boards understand risk
Using threats to justify spending – ransomware for instance – is a minefield which risks misunderstanding in a mire of technical concepts. It is better to describe risk by outlining the vulnerable elements of the organisation’s infrastructure and how each might be better secured. For example, a common threat technique is to attempt to steal credentials using phishing, a simple tactic whose outcome can be severe. This can be countered through investment in user training but also email filtering and authentication. It’s not how these work that matters but how they prevent a given outcome. It’s also important to talk about policies, for example, the adoption of principles such as zero trust. Zero trust doesn’t mandate which technologies must be deployed but outlines a trust architecture that must be applied consistently to achieve its objective.
Incident response
The most extreme example of risk is sudden emergencies such as an unfolding ransomware attack. This is one area where a lot of CIOs find themselves asking for more money, not only for in-house expertise and response but third-party support. The board needs to understand the importance of this spending. It’s like arguing for Plan B insurance should the worst happen, not dissimilar to how organisations plan for unusual weather, pandemics, or economic disruption. A cyber attack is not unlike one of these events and offers a good analogy. An important element of incident response is to agree on a policy in advance to cope with attacks such as ransomware or data breach – should a ransom be paid? If not, this implies extra spending on recovery and, possibly, cyber security insurance.
Key performance indicators
It’s not enough simply to make a series of spending recommendations based on technical arguments. The board must have confidence that this spending is part of a long-term strategy whose success can be measured objectively over time, including should the person making the case leave the organisation. This is done using the same tool that is used to measure any business investment, and key performance indicators (KPIs). For example, a common cyber security KPI is reducing the organisation’s reliance on vulnerable legacy systems, typically unsupported software. This is a good KPI because the reduction in legacy equipment can be measured and reported quite precisely. The board approves spending on new systems and migration and gets a defined risk reduction it can understand – job done.
Independent assessment
Boards will often want more than a list of KPIs, however, and will want to understand how these relate to higher-level governance regimes, for example, GDPR or NIST’s Cyber security Framework. This can be achieved by carrying out a benchmarking exercise that compares an organisation to its peers and gives boards an idea of maturity level. However, this doesn’t mean that technical assessments have no place. A good example is to conduct independent assessments such as penetration tests. This provides a degree of reassurance, so the board doesn’t have to take it on trust that its security design is meeting its goals.
Cyber security is competitive
It’s a point worth repeating as often as possible – the idea that cyber security is a cost centre is obsolete, indeed there is a case for arguing that it has become a competitive advantage. There was a time when a cyber attack was an IT stress whose costs could be contained with a bit of overtime and a few red faces. The surge in data breaches, the theft of IPs, and ransomware have changed this. Severe cyber attacks now represent a huge potential bill and possibly even an existential threat. It follows that organisations that can resist or minimise cyber attacks gain competitively against peers that fail to do this.
Conclusion – cyber security isn’t a talking shop
The idea that bridging the gap between the cyber security function and management is a good idea is far from new. What’s changed is the urgency of making this happen in a way that leads to concrete improvement rather than a lot of meetings and talks. This isn’t simply about best practice and compliance but survival. The organisations that find a way to turn cyber security from IT’s unwanted child into a part of their strategic planning for the future will be the ones that survive the current era of digital insecurity.
