Operational Resilience: Bridging the Communications Gap

If you talk to most any CSO, they want to be relevant in the least–if not a member of the company's Board of Directors. It’s human nature: we are both ambitious to get to the next level, but also curious to hear the conversations occurring that we both hope and yet also don’t hope include our part of the business (depending if they are good or bad conversations, of course). 

In recent years, just about every organisation had to address digital transformation issues, which are tied closely to the growing cyber threat, so now every Board should have cybersecurity as a regular topic on the agenda. 

However, many may not implicitly call it as such. This is because cybersecurity is often viewed as just a tool, and business leaders are hyper-focused on business outcomes. As such we must first ask ourselves what is the outcome each business is looking to achieve? This can be increased profit, or market share, or reduced operating costs–and in many instances it will be all of the above and more. 

The key point is that cybersecurity can play a positive or negative role in any of them. As such, we shouldn’t necessarily be concerned when cybersecurity isn’t its own line item; however, if it isn’t included within broader business goals, there definitely should be cause for concern. 

Personally, my favoured place for cybersecurity is in operational resilience. Crucial to any business, if you can’t function, the business dies. The question, then, becomes: how do we bridge the gap between cybersecurity jargon and the language of business risk? A question I hear many of my peers continuing to ask, and a topic where I am definitely seeing a major shift. 

The Shift in Communicating Security Efficacy

Not so long ago, cybersecurity leaders would show up with a dashboard of metrics, be they traffic lights or raw statistics That demonstrate whether we were able to do our day to day jobs effectively, or where there are key gaps we needed to address. 

The latter is key where we need the Board’s support. The problem with this style of engagement is these metrics are hard for Board members to comprehend, and all too often the significant shifts are very subtle to the untrained eye. I get why, in such cases, Boards become frustrated.

More recently, I have seen a shift from raw metrics to refined story telling. Board members, like the rest of us, read the news. and what typically then happens is they are looking for common ground to engage on. For example: “I read about this recent incident, tell me, are we covered against this? What is the potential impact? How would we respond?”

The positive here is the shift to a better, two-way dialog between the Board and the Security Teams; but unlike the metrics dashboards, it doesn’t focus on the most critical issues for your specific business.

This is why I see the most valuable conversations being focused on operational resilience. This is typically a newer term for the CSO, but less so for most Boards who already know what their key processes to achieve key business outcomes are. 

What they are looking to understand is: “What are the key cyber risks that could have a significant impact against these processes? What planning have we done to understand these and put in countermeasures or mitigations against these? What happens when it all goes wrong? What are the contingency plans when all the best laid plans fail?”

Is Your Messaging Aligned with the Board?

It’s a simple conceptual approach to very complicated reality, and one I think many CSOs struggle with, which is very natural, as it is ingrained in a CSO to defend the businesses to the best of their abilities. So ask yourself these questions to see just how aligned (or misaligned) you, as the CSO, might be with the Board:

  • Do you have consensus with your Board on what are the core processes the businesses see as critical for success?
  • What does operational resilience look like for these core processes? Is it zero down time, 30 minutes, or is it a different metric altogether? What’s key here is formalizing the agreement.
  • How do you track the cyber risks against these priorities? These are the interesting stories that you should be sharing during those board meetings.
  • What are the cyber risks you just can’t solve 100% of the time? It is important, of course, to be honest here. 
  • What are the contingency plans? Consider ransomware, for example. What happens if the backups are wiped or simply corrupted, do we go back to paper or something else? Having these conversations means you are thinking about operational resilience.
  • Have we tested our capabilities? My advice here is to get a trusted third-party to regularly test your capabilities because often we are so close to the problem, it's all too easy to miss something obvious. 

Include the board in some of these exercises, as it's a great way to help bridge the language gap. Again, be honest about your own shortcomings in these conversations. Not every business can have a world class incident response team and process. To be fair, many don’t need them. 

But being honest on this and the organisation’s level of preparedness by assuring you have found the right vendors to partner with demonstrates you are aware and are managing your shortcomings.

I’ve been very fortunate to engage with numerous boards over the years, often as an outsider to the company as the external field CSO. In such instances, I always engage with the internal CSO, who often isn’t getting access to the board themselves. 

What I find most of the time when I have spoken with their Board is there is a language gap, which starts by not having common understanding of the issue they are trying to solve, and each of us reverts to our own language. 

Traditional CSO’s metrics of success may mean little to the Board, and the Board in turn may not see the CSO as a core contributor to their key business goals. Understanding this disconnect,  and being proactive in engaging the Board in a manner that better fits their respective point of view can do wonders to advance a security program.  

With the recent accelerated digital transformation every business is going through, there has never been a more relevant time to find a common language.  Every board is different so take the time to get to know yours, many are now looking to have a cyber security expert, so figure out if they exist or offer to help fill that gap.  What's irrefutable is cybersecurity is only going to become an ever more key component of boardroom discussions.

 

Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Greg Day
About the Author

Greg Day

Greg Day is a Vice President and Global Field CISO for Cybereason in EMEA. Prior to joining Cybereason, Greg held CSO and CTO positions with Palo Alto Networks, FireEye and Symantec. A respected thought leader and long-time advocate for stronger, more proactive cybersecurity, Greg has helped many law enforcement agencies improve detection of cybercriminal behavior. In addition, he previously taught malware forensics to agencies around the world and has worked in advisory capacities for the Council of Europe on cybercrime and the UK National Crime Agency. He currently serves on the Europol cyber security industry advisory board.