Skip to main content

The Danger of Assumptions

November 19, 2019

A version of this article originally appeared in the November/December 2019 issue of NACD Directorship magazine.

A communications breakdown between chief information security officers (CISOs) and board members is all too frequent. Typically, the culprit for this breakdown is identified as cultural: CISOs often spring from a technical background, where they are more comfortable discussing “speeds and feeds” than profits and losses. For many directors, it’s the exact opposite. For both, there may be unrealistic expectations of the other’s ability to naturally bridge the gap.

Given the high stakes of cyber risk, boards and CISOs need to break through this communications impasse. The first step is for each to question their assumptions, making sure that business facts are proven and understandable to all. Some common board member assumptions that should be clarified with the CISO follow.

CISOs should be able to deliver return on investment (ROI) numbers.
Cybersecurity uses computer technology to combat threats, but not in the same way as the information technology (IT) function. The primary rationales for deploying IT systems are to improve efficiency, reduce costs, and increase revenue. These outcomes are readily measurable in conventional ROI calculations, and none of them are conventional rationales for deploying cybersecurity systems.

Rather, ROI on cybersecurity investments should be viewed through the same lens as other contingent liabilities, like pending lawsuits and product warranties, in addition to the risk of reputational damage and reduced brand equity. However, this will never happen if board members assume cybersecurity ROI can be measured like IT ROI.

Board members won’t be targets.
Just because board members do not work at the company every day does not eliminate them as a cyber risk. In fact, board members have access to the most sensitive information in the company, making them ideal targets for well-researched phishing attacks targeting high-value individuals (so-called “whaling” attacks).

Companies should have mandatory, outcomes-based employee cybersecurity training in place, and board members and senior executives should be included. Anyone who assumes they are above such training becomes a risk to their companies.

The company should focus its security efforts on threats in the news.
This is emblematic of a “threat-centric” approach to cybersecurity, where organizations are fixated on the latest threat. Every organization is different, and it may very well be that the threat you’re seeing in the headlines is not likely to be affecting your organization.

Cybersecurity programs should be risk-centric, not threat-centric. When you focus on all threats, you spread your forces too thin, overinvest in technology, and create a morass of cost and complexity. You also tend to overlook the risks that are attributable to fundamental weaknesses in your internal business processes that are easily exploited. When you take a risk-centric approach, you understand which assets are most likely to be attacked and who is likely to attack them, and concentrate your forces accordingly.

The CISO’s most important job is to prevent data breaches.
No CISO can prevent all data breaches. Assuming that this is their most important function guarantees failure. Rather, the CISO’s most important job is to understand the enterprise’s cyber risks and to implement a program that effectively manages it. Their top job is to establish the organization’s risk tolerance and plan for when things go wrong—because they almost certainly will.

A good CISO will have a comprehensive incident response plan in place that is rehearsed several times a year. This is critically important: how well an organization responds to security incidents has a profound impact on the overall business damage caused. The board is able to measure a CISO’s readiness efforts and encourage more preparedness as needed.

The CISO knows what the security budget should be.
The cybersecurity industry tends to fuel the threat-centric security model, which has led to CISOs investing large sums in the latest technologies. Now, many organizations find themselves with too much technology, too few people to run it, and no idea what investments to make next.

Assuming that the CISO knows how much is needed can be a dangerous proposition, unless the CISO can articulate in measurable terms how that budget will reduce enterprise risk. Wise, risk-focused CISOs should understand the right budget levels because they also understand contingent liabilities and how to articulate investment in people, process, and technology to reduce risk exposure.

Reevaluating these assumptions will close the communication gap between boards and CISOs, and create much more effective, economical, and board-supported enterprise risk oversight.


    Mark Adams

By: Mark Adams

Senior Practice Director of Risk Transformation at Optiv

See More

Related Blogs

April 09, 2019

Network Trust: How to Maintain and Establish it in Your Perimeter

Everyone has heard about “the expanding attack surface” and the “ever-increasing amounts of data;” about employees wanting to access email on their ow...

See Details

July 18, 2019

The Evolution of Cybercrime

Fayyaz Rajpari, our Executive Services Director discusses this evolution with Ron Darnall, our senior direct of threat intelligence and Ken Dunham, ou...

See Details

May 29, 2019

Four Ways to Reduce Identity and Data Risks in a Digital Economy

The use of stolen credentials ranks as one of the most commonly seen aspects of cybersecurity incidents, and loss of unencrypted data is one of the mo...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.