How CISOs can hit a homerun in the boardroom

Billy Austin

Most CISOs are not presentation experts in the boardroom, but these days, the CIO is counting on them heavily as data breaches continue to consume more and more of the business agenda. Over the past several months of meetings with CISOs, one commonality was the struggle of translating security jargon so the C-Suite can comprehend it. The other challenge was putting it into a language that gets their attention: dollars and cents.

After addressing these challenges and with the recent adoption of MAX Risk Intelligence’s data breach analytics, we are finding ourselves in the CISO office more frequently. During our initial consultation, the request is always the same: they want to keep it simple and arm their CIO for the presentation. Given the attention span of these business executives, in most cases we focus the consultation based on the assumption of a 5-15 minute security agenda.

Here are six example data breach consultation questions: 

  • What type of data holds the most value within your business?
  • Do you know the volume of unprotected data putting your business at risk and who has access?
  • Is there vulnerability intelligence that shows how this data could be compromised by data thieves?
  • Does your business have cyber liability insurance?
  • If so, do you have adequate liability coverage?
  • If a data breach were to occur today, have you quantified the financial impact?

iScanStadium.jpg


Texas CISO called data breach analytics a homerun

Most CISOs do not have an immediate answer for each and every question (unless they've already deployed MAX Risk Intelligence). While most can provide a partial response to the first four questions, the last two are usually unanswerable. Over 90% of the time, this is where we provide a complimentary data breach risk analysis on a subset of devices to better provide a sample board presentation with the customer data.

After our latest interview and data breach risk analysis, one Texas CISO defined customer PII as his most critical data type. After we showed him how he could use our reports to create a storyboard encompassing the discovery of data, detection of vulnerabilities to calculated loss exposure and deliver the data in a board presentation, he called the experience “hitting a home run":
 

1. Data breach risk

Key areas of CIO communication: This is your first communication. Keep it high level focusing on the three main points:

  • What data is at risk and who has access to it?
  • How will the attacker compromise the data?
  • What will it cost when you’re breached?

Data_Breach_Risk.png

Recommendation: Given the liability exposure results are greater than our cyber liability coverage, we have immediate remediation underway today to mitigate unencrypted payment data followed by social security data.

2. Personal Identifiable Information at risk

Key areas of CIO communication: Summarize the PII data at risk in dollars and cents by (consider filtered suggestions below when there is a significant dollar value, and/or risks can be immediately remediated):

  • Corporate vs BYOD
  • Mobility vs computing
  • Branch offices vs corporate

PII_at_Risk.png

Recommendation: Filter the summary to show specific PII data in areas that can be immediately remediated. Dropbox, Shared Network Drives and Outlook mail are common places where encrypting or deleting can reduce the financial exposure to a data breach by $x millions. (Dollar amounts are recalculated when filtering.)

3. Data Breach Risk Trend

Key areas of CIO communication:
Address the past, present and future of the data breach Risk exposure. The key communication to the board is to illustrate that your financial impact is reducing every x amount of days.

Data_Breach_Risk_Trend.png

If your business is acquiring companies, note that this could cause increased financial risk when merging corporate and network resources. Adopting remote workers, BYOD and cloud file sharing are a few notable causes of financial impact spikes.

Conclusion:

While many CIOs and CISOs have accepted that a data breach is inevitable, don’t assume board officials have. Illustrate that you are reducing the liability exposure to compromise in the event of a breach occuring. For those that are considering cyber liability insurance, we also recommend reducing your liability exposure first, which contributes to lower premiums.

Every CISO should be hitting a home run in the board room. You can too. Know your financial impact to a data breach within hours!

Do you have experience presenting security or data breach analytics in the board room? Share your experience.