Pharos founder Douglas Ferguson’s article for CyberScoop on new ways to establish cyber risk appetite with your Board.

by | Oct 1, 2022

The best thing company boards can do to manage cybersecurity risk is to approach it like any other business risk. To be effective, there must be a working relationship between the boards and the CISO, where goals are aligned, strategy drives protection options, and the business plan gives leadership clear risk appetite choices.

A CISO should center their protection goals around high-value business assets and initiatives aligned to the business’s strategic and operational objectives. This person should understand the business at a broad operational level, from the priorities of legal, finance, IT, HR, and R&D to revenue streams, regulatory requirements, and core operations and assets that drive competitive advantage and customer experience.

All of those disparate parts of the company have threat exposure across many operational surfaces. As we’ve learned from breaches, attackers will leverage any operational exposure to get a foothold, including facilities, personnel, and a company’s supply chain.

Not all threats are the same. They range from basic capability – like a hacktivist – all the way to very advanced nation-state actors. Although it may not be practical to protect against a nation-state, you must instill confidence that you can at least stop a hacktivist. It’s critical to establish a solid foundation of protection before trying for more advanced.

It’s important to calibrate protection levels across these business operational surfaces and ask yourself: What quality of attacker can we protect against? How many business assets are we going to protect to that level? Are we going to protect some assets more, and others less? These dimensions directly influence the business plan.

The goals and strategy lay the foundations to develop a budget. If you target a higher level of protection for an asset, it will cost more. If you want to protect more assets, it will cost more. If you want to achieve this protection faster, it will cost more. Laying out cost options to your executive leadership enables them to show you their risk appetite and choose how much protection you are expected to build. As a bonus, if they cut your budget, you can ask finance: ‘Do you want a lower protection level, or less coverage?’

Having these conversations will represent a significant leap forward in terms of strategic planning, prioritization, and establishing cyber risk appetite. For years, other C-Suite leaders have been presenting the board with a cost-benefit analysis for their business areas. Security has never been able to bring this level of precision to the table and that is one reason why it is viewed less as a strategic function and more of tactical one.

Unfortunately, when organizations approach their security from a compliance first perspective, there tends to be a lot of posing that is framed as action. It can look and feel good, but in the end, it’s really just security theater.

The actual results of compliance-based security aren’t aligned to real business risks. Today’s widely leveraged security frameworks don’t tailor to your enterprise’s crown jewels. Nor do they calibrate to levels of threat sophistication, nor the robustly measure the quality of scope, or the completeness of coverage.

This approach hurts more than it helps, and in ways that go beyond tech being used: it can damage security teams’ morale. Most security experts know that a compliance-first approach is just ‘security theater.’ You can spend your career checking compliance boxes, but what does any of that have to do with real risks to the business? That’s not good for your security team, and it zaps morale when they know they could be doing more.

Today’s CISOs should be driving strategic discussions across the organization, developing strong business plans that lay out protection options, clear risk appetite choices, and a plan for executing and measuring results. This, more than anything else, elevates the CISO from a tactical partner to a strategic peer across the C-suite. It offers the executive team and board clear choices and accountability for all.

Breaches continue daily, and CISOs tenures continue to shrink. Something needs to change, and I believe that something is foundational, almost embarrassingly basic. What CISOs have been doing, mostly out of necessity and not by design, hasn’t been working. Focusing on compliance, checking boxes, and chasing alerts has not been a road to success.

Douglas Ferguson is the CTO and founder of Pharos Security.

Read on CyberScoop