In organisations, CISOs are seen as the people that are responsible for security, but this is not completely accurate - the board is responsible for security and risk as a whole, and the CISO is there to ensure that those responsibilities are met.

According to research by the National Cyber Security Centre, 80% of participants were unsure of where accountability for cyber resided. In many organisations, the CISO (or equivalent role) thought that the board was accountable, whilst the board thought it was the CISO. In truth, it is both.

According to IANS Research, less than half (47%) of CISOs engage with their boards on a monthly or quarterly basis, while 42% meet with their boards on an ad hoc basis. That lack of consistency can undermine your approach. Instead, you will need to engage with the board around risks and cybersecurity, but the role itself faces a level of ambiguity due to how any relationship is defined.

IANS points to around 22% of CISOs being defined as only covering tactical projects around cyber risk, rather than engaging with the business, while 50% have some level of influence but lack consistent visibility.

It’s no surprise then that many CISOs feel like their roles are undefined and stressful due to that lack of support from the wider business, according to research by Piazza, Vasudevan and Carr for the University of Greenwich: but how can you get across that divide and make a difference that the business can see?

Are you Caring or Careful?

For many CISOs, the hurdle is to get boards to care about the work that they do around cyber risk. How can you make the work that takes place in a Security Operations Centre (SOC) relevant to the board, and how can you look ahead to help them understand risk before issues come up? How can you avoid getting sidetracked by security stories that blow up in the media, even though they are useful in terms of demonstrating the impact that can take place?

However, getting the board to care about security can lead to more negative associations than positive support. Paradoxically, caring about security is the worst result, because it can confirm your position as ‘only’ taking care of tactical security operations. Instead, you have to stick to a bigger picture approach in order to make the most difference over time.

Why is this such a problem? One CISO I spoke to said that any notice would benefit the team, as it would help him get his budgets confirmed and be able to plan ahead. Yet this tactical consideration ignores the fundamental gap that can exist for CISOs - how to get involved in conversations around business operations and risk, not just cyber issues.

However, this approach keeps you looking back at specific issues or threats, rather than looking forward at the overall risks or perils that they represent. For boards that are used to dealing with risk scenarios and planning, looking at the monetary impact that risks have is more important than the risks themselves. In response, you can create a risk operations process that understands potential issues, assigns financial risk and percentage chances against them, and does this in a continuous process so your Board understands what the organisation stands to lose.

Better Picture

This involves creating a better picture of what business value is at risk, and then quantifying that risk in practice. This relies on that value at risk being tangible for the board, so they can see the impact that your work has.

Estimating the monetary impact is hard - each threat or risk is different, and more or less likely to come to pass - but you don’t have to be exact or completely accurate. Instead, these values should flex in line with how much risk and potential impact those issues represent at the time.

What the value at risk calculation demonstrates is that you care about the business, and that your team’s efforts are designed to protect what the business values most of all.

The biggest challenge here is getting started. In the rush to put a monetary value at risk around potential issues, you may feel that your work is not yet accurate enough to share, but without this effort at the start, you can’t improve your own accuracy around measuring risk and value, and you can’t start to share that approach with the board either.

It is better to get started and refine the process over time, rather than sticking to more traditional technical metrics that don’t connect to what the board ultimately cares about. This can also help you redefine your relationship with the business, concentrate on longer term business impact, and remove the uncertainty that can exist around the CISO role.

Matt Middleton-Leal Managing Director EMEA Qualys