The Danger of Assumptions

A version of this article originally appeared in the November/December 2019 issue of NACD Directorship magazine.

A communications breakdown between chief information security officers (CISOs) and board members is all too frequent. Typically, the culprit for this breakdown is identified as cultural: CISOs often spring from a technical background, where they are more comfortable discussing “speeds and feeds” than profits and losses. For many directors, it’s the exact opposite. For both, there may be unrealistic expectations of the other’s ability to naturally bridge the gap.

Given the high stakes of cyber risk, boards and CISOs need to break through this communications impasse. The first step is for each to question their assumptions, making sure that business facts are proven and understandable to all. Some common board member assumptions that should be clarified with the CISO follow.

CISOs should be able to deliver return on investment (ROI) numbers.
Cybersecurity uses computer technology to combat threats, but not in the same way as the information technology (IT) function. The primary rationales for deploying IT systems are to improve efficiency, reduce costs, and increase revenue. These outcomes are readily measurable in conventional ROI calculations, and none of them are conventional rationales for deploying cybersecurity systems.

Rather, ROI on cybersecurity investments should be viewed through the same lens as other contingent liabilities, like pending lawsuits and product warranties, in addition to the risk of reputational damage and reduced brand equity. However, this will never happen if board members assume cybersecurity ROI can be measured like IT ROI.

Board members won’t be targets.
Just because board members do not work at the company every day does not eliminate them as a cyber risk. In fact, board members have access to the most sensitive information in the company, making them ideal targets for well-researched phishing attacks targeting high-value individuals (so-called “whaling” attacks).

Companies should have mandatory, outcomes-based employee cybersecurity training in place, and board members and senior executives should be included. Anyone who assumes they are above such training becomes a risk to their companies.

The company should focus its security efforts on threats in the news.
This is emblematic of a “threat-centric” approach to cybersecurity, where organizations are fixated on the latest threat. Every organization is different, and it may very well be that the threat you’re seeing in the headlines is not likely to be affecting your organization.

Cybersecurity programs should be risk-centric, not threat-centric. When you focus on all threats, you spread your forces too thin, overinvest in technology, and create a morass of cost and complexity. You also tend to overlook the risks that are attributable to fundamental weaknesses in your internal business processes that are easily exploited. When you take a risk-centric approach, you understand which assets are most likely to be attacked and who is likely to attack them, and concentrate your forces accordingly.

The CISO’s most important job is to prevent data breaches.
No CISO can prevent all data breaches. Assuming that this is their most important function guarantees failure. Rather, the CISO’s most important job is to understand the enterprise’s cyber risks and to implement a program that effectively manages it. Their top job is to establish the organization’s risk tolerance and plan for when things go wrong—because they almost certainly will.

A good CISO will have a comprehensive incident response plan in place that is rehearsed several times a year. This is critically important: how well an organization responds to security incidents has a profound impact on the overall business damage caused. The board is able to measure a CISO’s readiness efforts and encourage more preparedness as needed.

The CISO knows what the security budget should be.
The cybersecurity industry tends to fuel the threat-centric security model, which has led to CISOs investing large sums in the latest technologies. Now, many organizations find themselves with too much technology, too few people to run it, and no idea what investments to make next.

Assuming that the CISO knows how much is needed can be a dangerous proposition, unless the CISO can articulate in measurable terms how that budget will reduce enterprise risk. Wise, risk-focused CISOs should understand the right budget levels because they also understand contingent liabilities and how to articulate investment in people, process, and technology to reduce risk exposure.

Reevaluating these assumptions will close the communication gap between boards and CISOs, and create much more effective, economical, and board-supported enterprise risk oversight.