Taking bots to the board

Josh Goldfarb at F5 describes the importance of communicating cyber-security to senior management by providing solutions rather than simply outlining threats

 

Increasingly, security is becoming a fundamental part of business, and should be a major consideration for those hoping to generate and sustain business success. As this transformation has happened across recent years, it has forced security to evaluate their repertoire of skills, and consider how they might build on their commercial acumen.

 

Amongst the single most important business competencies for the modern-day security professional is the ability to clearly and accurately present potential security risks to the board. 

 

Discussions between security leaders and board members have traditionally been somewhat contentious, with both parties having differing perspectives and priorities. In essence, the core role of a c-suite executive is to consider the financial health of the organisation, and set in place strategies to facilitate growth. 

 

While security teams might consider how threats might materialise, and the potential operational impact of cyber-attacks, ultimately, boards are only really concerned about the financial implications of security risks, whether from loss of revenue, regulatory fines or damage to brand reputation, and need understand this as a first priority.

 

With this in mind, what is the best way for security experts to communicate cyber-risks to decision makers, and ensure they understand the severity of the danger facing an organisation? In my experience, it boils down to translating how risks and threats will have a significant monetary impact.

 

In this article, I share a number of ways in which security professionals can do this.

 

Communicating cyber-risks to decision makers

Recognise essential resources and data

Typically, security incidents are facilitated by the theft of sensitive data, compromised resources and vulnerable accounts. As such, security teams need to ensure that they have a comprehensive understanding of which resources and data are critical to business function, and if lost, which would have the largest financial repercussions. 

 

Understand the potential impact for each one

It’s equally important to identify the potential financial impact on an organisation, if one of these critical resources or data points are compromised. This is a crucial step on the process of communicating risks to c-suite executives, and a point we will return to in this guide. 

 

Contextualise risks and threats 

Next, security teams need to have a comprehensive understanding of the current threat landscape facing their businesses. They need to ask themselves; who might be targeting their critical information, why their business is a target and what the risks are to the business. These need to be enumerated, and that enumeration will also be essential for this process.

 

Chart risks and threats to resources and data

Once critical resources and data have been identified, security teams should look to determine the potential impact for each enumerated risks and threat, they need to chart the risks and threats to the appropriate resources and data.

 

It’s unlikely that each resource or piece of data have the same risk profile or face similar threats, so security teams should be cognizant of which risks are relevant to which resources and data, and map accordingly.

 

Understand risk exposure

Potential loss should be considered in terms of risk exposure – rather than risk in absolute terms. In essence, risk exposure refers to the probability that a risk will materialise multiplied by the impact, should the risk materialise. In short, if the potential impact is huge but the risk is very low, or vice versa, the risk exposure is much lower than the risk in absolute terms. 

 

Frame risk exposure in financial terms

We are now approaching the same language used by the board – as they aim to understand exposure in financial terms. If, as security professionals, we’ve done a good job understanding potential impact in monetary terms, this step should flow naturally from the previous step around calculating risk exposure.

 

Calculate, aggregate and present risk exposure

We cannot expect a board to understand and extrapolate conclusions from the detailed and granular risk evaluations, as carried out in the previous steps. With this in mind, security teams should look to aggregate risk exposure into high level aggregates (e.g., business units or product lines).

 

This is what can be used to communicate risk to the board, so that they can gain an understanding of their exposure from multiple viewpoints and aggregate levels that they are comfortable operating in. 

 

While not always simple and requiring a decent amount of investment, this process is a straightforward and logical one. As a bonus, once risk exposure has been properly communicated to the board in their language, it becomes easier for the security team to show return on investment and highlight its value.  

 

Balancing controls 

From here, mitigating controls are essential. An investment in time, money, and resources is required for both protective and detective controls. It is often helpful to show the value (in terms of reduction of risk exposure in monetary terms) to the business to encourage the board to make these investments.

 

Bet in people, process, and technology

Through trusting and investing strategically in your personnel, processes and technology, security posture can be enhanced. The steps above help to outline and justify where these investments should be made, and the ways in which they will lead to improved security. 

 

Justify the return on investment

Security teams should be in a position to justify the return on investment (in risk exposure avoided) of their recommendation. This is one of the fundamental ways in which a security team can demonstrate its value, and communicate its success to the board.

 

Importance of communication

Presenting security risks to the board, in a digestible, sincere and articulate manner is not always an easy task. However, it is an important investment, both in time and money, and one that can yield hugely positive returns for security teams. 

 

When security professionals understand how to properly communicate security risks to the board, they are able to properly demonstrate the vast amounts of value that they bring to organisations, and can generate additional funding, and gain the confidence of the board to mitigate risks and threats to the business

 

---

 

Josh Goldfarb is Global Solutions Architect – Security at F5

 

Main image courtesy of iStockPhoto.com