Security professionals always find it a challenge to get the board interested in cybersecurity, convincing them to invest in cyber defenses.
Here is an interesting data point first. While 72% of FTSE 350 firms in the UK agree to have witnessed cyber risk as a top-most threat, a mere 46% having a dedicated security budgets to match them. By that logic, it seems that today’s boards are underinvesting in their cybersecurity defenses, and they are sure not to be blamed.
Before pointing fingers, it’s important to consider how boards manage overall enterprise risks. Unsurprisingly, researches have confirmed that boards have very limited time to consider underlying cyber risks. In fact, even in firms that employ chief risk officers, formally analyzing and discussing risks with the board specifically, has a time window of just 30 minutes in a discussion. They take place either yearly, semi-annually, or quarterly. For smaller organizations, it is reasonable to assume that even less time is dedicated to discussing cyber risks.
The 30-minute slots, anyway, aren’t solely reserved for discussions focused on cyber risk. In the time slots, boards can potentially discuss all types of risks they face –financial, technological, cultural, and the list continues.
Under impossible circumstances, CXOs have to decide which cyber risks deserve the lion’s share of their attention. They do this based on, among other things, assumed risk severity and the extent to which a decision can be made.
The implications of cyber security are obvious. To get boards engaged and investing more in cyber security, one needs to better demonstrate the genuine cyber risk faced by organizations. That means enterprises will need to get better at monitoring, measuring, and presenting the existing cyber risk, and the damages it can do.
Measuring human led cyber risk is also critical. Admittedly, in some areas, professionals are pretty good at summarizing and measuring cyber risks. Technological defenses, for instance, typically record the severity and number of attacks they detect. An elevation in the attack numbers or severity is a sure indicator of enhanced cyber risk.
Building security policies are driven by the metrics from the technological defenses alone; however, it can lead to security issues that people tend to ignore.
Cyber security is a socio-technological discipline. It concerns people and, at present, while technological risk metrics are reliable, “measurement” of human cyber risk mostly boils down to whether or not one is running security awareness training.
It’s understandable that firms that are more security-conscious have been more focused on standards and recommend training, but that’s where the buck stops. Some standards even refer to the simple training tick-in-the-box, as a significant metric in policy matters.
To time-constrained board members, the tick-box turns to be a wayward signal. Board discussions do not wander, and tick-boxes that effectively confirm “we’re doing what we need to do on the cyber risk front”, granting boards permission to move on.
To ensure that boards are lingering on cyber security, security professionals must present boards with something more arresting. Indicators and metrics that demonstrate the true, total (and often alarming) cyber risk level, need to be presented to convince them.
Awareness, culture, and behavior metrics drive investments. Presenting boards with supportive metrics that reveal the employees’ security awareness, security behaviors, and the organization’s security culture. That should give the leadership, board level discussions something truly eye-opening. Suddenly, perceived cyber risk equals to actual cyber risk. Deference to tick-box approaches and cognitive biases become unnecessary.
Armed with easy to comprehend, social, attractive, and timely metrics and recommendations, the board, have all they need to make informed and aware decisions. Going further, they have everything they require to measure and advance their cyber risk maturity – either instead of or along with the varied and relative risk maturity scales that organizations fall back on today.
With such metrics, cyber risk can finally be truly explored, debated, and discussed in totality.
Security professionals need to do more attentive and cautious as organizations frequently carry an undesirable amount of cyber risks without realizing it. As security professionals, one really needs to do more to ensure that company boards at the very least, understand the true cyber risk organizations face.