We know information sharing is key to creating and maintaining cyber mature organizations. But our survey in partnership with McKinsey showed governance from the C-Suite can also improve defenses. Let’s take a closer look at how it works.
Many times, the Chief Information Security Officer (CISO) or other equivalent security executive, while a recognized member of the senior leadership team, may not be seen as having strategic perspective of the organization’s business or mission execution. However, the CISO role has both a bird’s eye view and detailed view of the organization that delivers significant value to the larger governance conversation. “Security executives are in the unique position of having visibility over how all business processes function and how cyber threats target those processes,” explained Michael Figueroa, Executive Director of the ACSC. “Modern CISOs are being increasingly called on to build a more coalition approach to security across their leadership teams.”
More cyber mature companies know an effective cyber defense requires internal and external engagement to create a culture that automatically incorporates cyber risk assessment into business decision-making.
Culture Change Drives Safer Security Practices
This type of culture change best succeeds when driven from the top down. Senior executives that “walk the walk” and are willing to be advocates for cross-functional cyber governance committees and budget resources can help to cement better policies and procedures within the organization. As an example, the study found many cyber mature organizations require cyber risk assessments for new projects in the initial stages and their development methodology requires an assessment of potential related cyber-security risks and costs. As more organizations start to move towards a comprehensive approach, the C-suite must have a deep understanding on how cyber risk and compliance can impact business.
CISO’s now have a captive audience for cyber metrics that reflect both business measures (e.g., value at risk, experienced losses) and technology metrics (e.g., percentage of attacks stopped at each step across the “kill chain”). As historical and projected metrics become a regular part of the strategic planning process, the metrics can be evaluated with an eye to driving decision making (e.g., for cyber investments).
Rather than stay on the front-lines of cyber defense, the CISO should focus on building stronger bonds with other members of the leadership team and building collaborative alliances with external security executives. Inside the organization they may need to consider product development and the board of directors. Outside the organization they should consider local organizations, reporting agencies, law enforcement, and other sources of information / collaboration.
CISO’s have an opportunity to evaluate and quantify cyber risks, incident response simulation, and developing and promoting governance frameworks to better connect cyber decision making into corporate governance.
At the ACSC, we contribute to improving cyber governance by working with our members to identify and share effective practices for security teams collaborating with their boards and senior leadership. The ACSC is spearheading several initiatives including Executive Forum development for improving the CISO/Board relationship and sharing our full survey results with the cybersecurity community.