The Evolution of Accountability and Scrutiny for CSOs
Bay Dynamics CEO Feris Rifai suggests that what’s old is new again. Cybersecurity is undergoing the same transformation finance did post Sarbanes-Oxley; prior to 2002, having a director that was a financial expert in the American corporate boardroom was not the norm. This time next year, the idea of CISOs being actively present on the board will be far from novel.
This piece was originally shared on the RSA Conference blog and is republished here with permission.
History is repeating itself. Before Sarbanes Oxley passed in 2002, having a director that was a financial expert in the American corporate boardroom was not the norm. In fact, CFOs who were originally thought of as financial gatekeepers are more than ever before held accountable for the integrity, accuracy and traceability of the financial information presented to the board. Today, we all know that financial risk is managed across the entire business.
We are now seeing that same transformation in cybersecurity. With the increase in industry regulations coupled with a fluid stream of high profile data breaches, CISOs are becoming boardroom mainstays, expected to present traceable, understandable and accurate cyber risk information to enterprise leaders. While the transformation spreads the gamut of industries, it has become front and center among financial companies, where new regulations and guidelines have come to surface, such as the newly revised New York State cybersecurity requirements and Group of Seven (G7) cybersecurity guidelines, in addition to the string of cyberattacks against banks such as the Bangladesh Bank, Ecuadorian and Ukrainian banks, and Russian Central Bank.
Financial companies are feeling the pressure to make cybersecurity a top business priority that’s on the same level, if not higher, than other operational risks. While boards want to hear from the CISOs on a regular basis, they don’t want to hear about the latest firewall purchase or the number of vulnerabilities that were patched. They want to learn about the company’s cybersecurity program in a language they understand – risk – and how cyber risk maps to dollars and cents.
Measuring the financial impact of cyber risk and prioritizing remediation efforts so that the most impactful security exposures are tackled first should be top of mind for CISOs. This requires knowledge of where their most valuable assets live and capabilities to decipher real threats and associated vulnerabilities vs. noise. The concept of accurately attaching a potential financial loss amount to applications at risk is not an easy one, but it is a critical success factor for the 2017 CISO.
If CISOs in the financial industry want to swim ahead of the changing tide, they need to speak the board’s language. They need to understand where their most valued assets exist, threats and vulnerabilities to those assets and then map the financial impact at stake. Their assessment will need to be based on actual conditions detected in their environment and actions prioritized based on remediating threats and vulnerabilities that reduce the value at risk the most. Not only does this approach enable enterprises to direct their limited resources at their biggest problems, but also arms them with actual financial impact metrics to present to the board. They can show the potential loss they saved the company by taking certain actions, and can assist board members in making effective investment and budget allocation decisions based on the most impactful cyber risks.
Board members are increasingly relying on CISOs to present cyber risk information in the language of risk, mapped to the company’s business imperatives and to the board’s risk tolerance. At this time next year, CISOs being boardroom mainstays will be far from novel.