At some point CIOs and CISOs have inevitably to provide a smart and clear answer to the sensitive question from the Board of Directors: Are we 100% secure?
So, how does a security-conscious leader answer such an essential question in a practical, business-focused manner? Here are some of the Do’s and Don’ts of answering this crucial question:
- Instead of saying “We are 100% secure,” socialize and educate the C-suite on the term cybersecurity risk management. Indicate that the threat landscape continuously evolves therefore cyber risk management is regarded as a journey, not a destination. Focus on the risk they are ready to accept, given the many limitations based on company size and associated budget and resources.
- For presentations, have no more than five slides when presenting to the board/leadership team. Talk in terms of risks to the business in the event of a potential security breach. Indicate the important/critical business systems and communicate their impact on business operations, given the current and future threat landscape.
- Explain how saying “we are 100% secure” does not measure cyber risks effectively and, also how cyber maturity and risk management are the KPIs of the organization’s cybersecurity and risk programs. As a security leader, it’s imperative to explain that from the start.
- Use security and compliance certifications. External validation and accreditation are critically important to organizations that secure their data and comply with regulatory requirements. Indicate that these are absolute must-haves. Again, communicate in terms of cyber maturity and risk management of critical business assets and potential impact on business.
- Explain why organizations need to invest in tools/technologies that integrate cyber maturity and security risk management metrics in the context of overall business risks. The board and CEO are well-versed in business risks and will understand this approach.
- Never say: “We are 100% secure.”
- Showcase a few, critical metrics in a presentation to the board and CEO. Don’t mislead them by offering too many metrics.
- Don’t use industry security and compliance certifications as proof of the organization’s 100% security – even if these serve to bolster the team’s personal confidence. Consider the certifications the baseline of the program.
- Don’t use the plethora of tools/technologies and transpose a dollar value to justify the “100% secure” narrative. Big budgets do not necessarily equate to being fully secure.
Security teams should also consider answering the same types of questions from business partners and customers. With that in mind, here are some important takeaways to consider:
- Stay proactive with the CEO and board. Educate them in terms of how the company wants to measure cyber risk management performance. Do this from the first meeting and at every subsequent meeting.
- Take this proactive approach with customers and business partners. It’s important to make many of these same points with customers, partners, prospects, and as well as internal
- Stress security awareness training programs. Educate the organization in terms of what makes sense in cyber risk management and what doesn’t. Cultivate a cyber-aware culture from the executive management down, across the rank-and-file of your entire company.
- Leverage industry-accepted tools and technologies.
Security leaders should not only showcase “shiny” slides but also effectively articulate and communicate with all relevant stakeholders on how the cyber risk management program performs. And by all means, try to acquire the necessary budget and resources to run an effective program to get as close to the utopian “100% security” as possible.