This article is part of the series "CEO vs. CSO Mindsets". Check out the rest:
If you want to gain real insight into the disconnect between IT and the C-levels, then take a closer look at the Cyentia Institute’s Cyber Balance Sheet Report, 2017. Cyentia was founded by the IOS blog’s favorite data breach thinker and statistician, Wade Baker. Based on surveying over 80 corporate board members and IT executives, Cyentia broke down the differing data security viewpoints between CISOs and the board (including CEOs) into six different areas.
The key takeaway is that it’s not just that IT doesn’t speak the same language as the business side, but also that the business executives and IT view and think about basic security ideas, values, and metrics differently. It’s important to get everyone on the same page, so I applaud Cyentia for their efforts.
Get the Free Pen Testing Active Directory Environments EBook
The report and its findings were the inspiration — thanks Wade — behind this IOS blog mini-series. It’s my modest attempt to bridge the viewpoint gap, and try to get everyone on the same page. (And after that I’ll take on world peace.)
In this first post, we’ll look at some of the Cyber Balance Sheet’s intriguing results and observations. In the second and third posts, I’ll attempt to act as couples counselor, and explain ideas that one side needs to know about the other.
When Worlds Collide
Let’s look first at one of the more counter-intuitive results that I discovered in the report.
Cyentia asked both CISOs and board subjects to rate the value of cybersecurity to their business in five different categories: security guidance, business enabler, loss avoidance, data protection, and brand protections (see chart below).
Yeah, I’m a little surprised that data protection was rated by under 30% of CISOs, but over 80% of board members as valuable. Maybe, I’m a crazy idealist, but you’d think that would be job #1 for CISOs!
The explanation from Cyentia on this point is worth noting: “CISOs of course knows that data protection lies in their purview … and so they’ve learned to position data protection as a business enabler than a cost center.”
I think what Cyentia is getting at is that CISOs feel strongly that they bring real value to their business and not just red ink — not just providing a data protection service. And that jibes with the fact that 40% of CISOs say they are business enablers. Although that belief is not shared equally by the board — only 20% of them think that.
The key to all this is found in the breakdown of the “brand protection” value: over 60% of board members saw this as important, but it barely made a blip with CISOs, at less than 20%.
I’m not surprised that CISOs don’t see their job as being the brand police. I don’t blame them! I can almost hear them screaming “I’m an IT professional not a brand champion.”
But let’s look at this from a risk perspective, which is the viewpoint of CEOs and boards. As one of the board-level interviewees put it in the report, their biggest concern is the legal and business implications of a data breach. They know a data breach or an insider attack can have serious reputational damage, leading to lost sales and lawsuits, which all work out to hard dollars. Brand damage is very much a board-level issue!
Cynentia has identified an enormous gap between what CISOs think is important versus the board regarding the value of cybersecurity. This leads nicely to another result of theirs.
Let’s Talk About Risk
The metric measurements in the report (see section 4) are also revealing and detail more of this diverging viewpoint. Of course, CISOs are focused on various IT metrics, particularly related to security incidents, responses, governance, and more.
Cyentia tells us there’s approximately a balance between both sides for many of the IT metrics. However, there’s a large gap between CISOs and boards over the the importance of “risk posture” metrics. It’s mentioned by 80% of boards versus only 20% of CISOs. That’s a startling disparity.
IT loves operational security metrics: the ones mentioned above along with lots of details about day-to-day operations, involving patching status, malware or virus scanner stats, and more.
But that’s not what board members — who may not be as technically knowledgeable in a narrow IT sense — think is important for their work!
These folks have enormous experience running actual businesses. CEOs and their boards, of course, need to plan ahead, and these savvy business pros expect there to be uncertainty in their plans. That comes with the territory.
What they want from IT is a quantification of how bad an outcome of a breach, or insider attack, or accidental disclosure can reach in dollars, and the frequency or probability that these events could happen.
You can think of them as disciplined high-tech gamblers who know all the probabilities of each outcome and place their bets accordingly. Pro tip: they’re probably great poker players.
For Next Time
If you want to get ahead of the game, take a look at Evan Wheeler’s presentation at this years RSA conference. Evan is a CISO and risk management expert. If you want to understand what a risk profile is, check out his explanation at around the 25-minute mark.
His key point is that business leaders are interested in both rare cybersecurity events that incur huge losses – think Equifax – and more likely events but that typically have far lower costs – spam mail, say, to get corporate credit card numbers use in the travel department. They have different ways of dealing with each of these outcomes.
We’ll get a little more into the weeds next time when we look at “exceedance probabilities”, which is basically a more quantified version of a risk profile. It’s a great topic, and one that CISOs should become more familiar with.
There are other interesting stats in the Cyentia report – blow your mind by perusing the chart showing different perspectives on security effectiveness. I urge you to download it for yourself and spend time mulling over the fine points. It’s well worth the effort.