Cyber Risk Strategy and the Evolving Role of the CISO

Data breach risk: If we do not protect our data wherever it is located to prevent a loss, exhilaration, or manipulation of data, then service disruption and decision-making affecting patient care; identity theft affecting patients or staff and reputational damage could result with associated costs of recovery. Boards want to understand the costs or severity associated with a breach, the probability of an attack, and the susceptibility of the business to that risk and the urgency of the risk.

Addressing risks

Addressing risks starts with high-level strategies. Again, these can be tailored to your organization but there are some generic ones that will apply in most situations. These include:

• Improve governance and leadership

• Ensure evaluation and direction

• Compliance, audit, and review

• Protect our information and systems

• Develop resiliency and recoverability

• Implement security operations

• Get ready for digital business

Once you have selected all that apply, you can outline the purpose and vision of the security strategy and connect the high-level strategies to objectives.

An example of purpose statement: To support the business to ensure cost-effective and adequate security controls are implemented that reduce risk to services and increase resilience within risk appetite.

Vision: To equip and empower customers to ensure safe, secure and reliable operations over the entire lifecycle of the environment while supporting the business objectives of today and tomorrow.

Security objectives should be aligned to your security framework of choice whether it is NIST, ISO27001 or other. Using NIST’s framework the objectives written in simple business language may be:

• Know what we have, what is critical, and what we are doing in our environment. (IDENTIFY)

• Implement measures to protect our data (PROTECT)

• Catch the events we didn’t prevent in an acceptable time frame (DETECT)

• Prioritize and deal with incidents (RESPOND)

• Return to operational state as soon as possible (RECOVER)

You can now link your security program initiatives to your framework and objectives. For example, under IDENTIFY you might have things like:

• Asset management

• Governance of the environment

• Risk management

• Vulnerability management

The above method allows you to connect business goals to risks, risks to approaches you will use to manage them. These approaches guide the security objectives of the business and the tactics and initiatives you will employ to achieve them, thus connecting tactics to strategy in a way that senior executives and board members can understand.

Role of the CISO

Success or failure of your strategy in terms of board and executive buy-in will come down to how simply but effectively you communicate the strategy to the board. The focus of a CISO should be on how to improve communication with both the board and the operational functions of the business.

A CISO needs to start speaking the language a board will understand – to quote Steve King, “explanations in Japanese mean nothing to someone who only understands Italian.”

CISO’s need to draw on the principles enshrined in marketing, relationship management, and psychology. He or she needs to build trust and speak quantitatively. The role is not about technology leadership—business skills are now paramount. It is the CISO’s responsibility to translate cyber threats and risks in terms of the board and senior leaders comprehend and can consume so they can make properly informed decisions.