How to answer your board’s questions on cyber-risk exposure

When your company has been breached or you find you are vulnerable to a potentially devastating exploit (for example, the execution of the Log4j vulnerability), it often triggers a series of activities that consume the lives of almost everyone connected to the security team. If you’re the CISO, you know you aren’t in for a lot of sleep until the threat has been fully assessed, contained, mitigated and ultimately removed – or at least neutralised to the point that your operations can return to a “normal” state.

 

But CISOs are not the only ones trying to understand and minimise the repercussions of the vulnerability or attack. Other executives on the team also have a vested interest in remaining up to date on progress.

 

Let’s start with how to prepare yourself to answer question one: “What’s our risk exposure, and did we experience any impacts?”

 

Subtext questions to consider:

• Are business-critical systems and data impacted, and how will this impact the business?
• What have we done to limit exposure, and what are we planning to do?
• What about key strategic partners and third parties? Do they expose us to additional risks?

Quantifying the cyber-risk exposure: just how bad are we talking?

What your executives and board really want to know is, what’s the likelihood that something bad is going to happen, and just how bad will it be if it does? Risk exposure is calculated by likelihood times impact, but the board obviously isn’t thinking in equations. They’re thinking about how this is going to impact your business-critical functions, how to keep key data protected, how to keep customers happy and, finally, how to continue generating revenue.

 

When it comes to assessing and reporting on your risk, you will need to analyse all the networks and systems in place to understand exactly how far-reaching your exposure is. You will also need to look across the business to identify any third parties, partners or supply chain elements that could introduce risks. Understanding what your vendors and strategic partners are doing to limit their exposure (and yours) will likely require some persistence on your part. But it is better to be annoying than caught off guard by a piece of software or integration that leaves you susceptible to attack.

 

This detailed analysis will help you respond to your board’s concerns about which business-critical systems, data and operations could be impacted and what that could mean for the business. It also helps you stratify your risk and answer the almost inevitable follow-up questions, such as “Of our high-risk third parties, which ones have this under control and which do we need to be the most concerned about?”

In addition, you’ll want to take the opportunity to provide insights into:

• Your plans if the exploit is successful
• How to “stop the bleeding” to keep delivering critical functions
• How the business plans to recover

This should include a discussion of all the things you have done – and are doing – to both limit your exposure and increase the resilience of your operations, including your third-party business ecosystem, so you can keep functioning on a day-to-day basis.

Naming the impacts on the business: bottom-line it for us

Dealing with impacts goes above and beyond the tactical responses of your team. You must think holistically to cover all potential technical and business impacts. For instance, you will want to assess and report on:

• What did it cost to respond to, recover, rebuild, replace or transform any affected applications, systems or infrastructure? What about other costs, such as the churn on the team and other intangibles that resulted from the focus being pulled from other activities?
• Strategic implications. Was there any loss in competitive advantage or market share/position?
• Damage to reputation. Were there any changes in customer satisfaction or loyalty? Did they impact investor relations or the partner ecosystem?
• Legal and regulatory compliance issues. Did it affect compliance obligations or generate any legal concerns? For example, is there any potential for investor/customer lawsuits? Any fines? Was any regulated or confidential data exposed? Are reasonable steps being taken to protect customer data, and how can the business show that due care is being exercised to keep it protected? (The FTC recently warned that it intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect customer data from exposure to critical known vulnerabilities)
• Operational disruptions. Were services or the supply chain impacted? Were any strategic initiatives delayed or put in jeopardy due to these activities? What are the resilience measures in place designed to minimise future impacts?

Walking into meetings with answers to these questions will help you explain to the board what you are dealing with and how you plan to address it to maintain acceptable risk levels.

This article is part one of a series that offers guidance on proactive communication strategies for CISOs, including ways to translate key information and express your actions in executive language, so you can remain focused on the important work of responding to incidents, events and threats equally, in order to mitigate organisational impacts.

 

---

 

Check out our content series to answer your board’s questions relating to risk exposure, risk mitigation, due diligence and compliance.

 

---

By Tim Erridge, Vice President, Services, EMEA, Palo Alto Networks