Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
The U.S. Securities and Exchange Commission (SEC) recently issued updated proposed rules regarding cybersecurity risk management, program management, strategy, governance and incident disclosure for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. As a result, the SEC may be amending previous guidance on disclosure obligations relating to cybersecurity risks and cyber incidents to include processes that require organizations to inform investors about a company’s risk management, strategy and governance in a timely manner with any material cybersecurity incidents.
To effectively manage communication to the C-suite and board level, security leaders must communicate and report on cybersecurity efforts in the language of the business.
Over the past two years, security breaches have been on the incline as digital transformation has rapidly increased, expanded and affected business models, customer experiences, products and operations. Now a top business risk category for many companies, cybersecurity is increasingly a focus and conversation at the board and C-suite level.
And, since the role of the chief information security officer (CISO) has grown dramatically from not only protecting the technology, but all of the supporting data, intellectual property and business processes, companies are recognizing the need for the CISO to have increased access to the C-level and board to help with business decisions.
The challenge, however, is that often security leaders traditionally communicate in technical and operational terms that are challenging for business leaders to understand. For CISOs to be effective, they must adopt a holistic security program management (SPM) strategy. This approach will support the ability to communicate and report on cybersecurity efforts consistently in business terms, using outcome-based language, and connect security program management to their business’ key priorities and objectives.
What is cybersecurity security program management (SPM)?
SPM reflects modern cybersecurity practices and supporting domains. This approach supports a common language that can be applied across industries and understood by both technical and nontechnical executives — while adapting and shifting in business outcomes, technology and the threat landscape.
However, for SPM to be successful, the security industry needs to refocus from centering on compliance frameworks to SPM methodologies that are continuously updated and managed throughout the year. This approach will broaden business insight into key elements and technologies of a modern cybersecurity program such as application security, cloud security, account takeover and fraud.
SPM has been proven effective in guiding security leaders to continuously measure, optimize and communicate their program needs and results. In fact, consistency of SPM has proven to provide continuity in security programs — even as people may change roles — and for reporting, ensuring that metrics are accurate and reliable.
Despite the elevation of cybersecurity as a top board priority and concern, businesses need to address the “elephant in the room” — the failure of communication and common understanding between the CISOs, security programs, and their boards’ understanding of SPM. Organizations are recognizing that only a small percentage of their security teams are being effective when communicating security program strategies and risks to the board, according to a Ponemon study.
CISO: Cybersecurity support starts at the top
This can be described in two parts. First, the board needs to understand the biggest risks to revenue — cyberattacks are not cheap. Cyberattacks can be an expensive threat to companies. Yet, few companies can communicate their security program effectiveness to executives and the board in business terms that can be quickly understood.
Second, communication has to be consistent across the organization. We must embrace business language and terms from one business unit to another. For example, in comparing two business units, one may generate revenue but the other may not because the second business unit may be a support role for the company. The security program may prove to be optimal in the first business unit yet not in the second.
Why not? In speaking with the executives and board, the security leader must speak at a level that their stakeholders understand in order to be aware of what a comprehensive security program will reveal. Providing relevant, digestible information on SPM and its progress both up and down the ladder — to peers, team(s), the C-suite and board — is critical.
Compliance and cybersecurity: They are not equal
There is no one quick fix to address and remediate all security issues. Over the years, organizations have implemented various strategies to remain compliant. Though compliance is not as comprehensive as a security program: it may only focus on certain pieces of people, processes, technology and assets that are in scope for a particular compliance effort.
Others have implemented SPM to increase transparency and help C-level and the board better understand and assess the maturity and comprehensiveness of a company’s cybersecurity program, and therefore the relative levels of risk exposure that companies face.
The bottom line is that CISOs are hired to protect the company’s data, applications, infrastructure and intellectual property (IP). As companies move forward in the 2000s, the focus is on data being the new currency — we must embrace SPM in order to be successful in reporting on our cybersecurity efforts.
Making a difference for the business
Gartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member. At the board, management and security team levels, this is one of the several organizational changes that Gartner forecasts will expand due to the greater exposure of risk resulting from the digital transformation during the pandemic.
To effectively lead, the security leader must have decades of security program experience, have previously reported directly to a board, become an advisor or an independent board observer and have reputable security certifications. With those qualifications covered, the CISO will have the business acumen and support to get the job done.
As a key advisor to the board, a security leader will help increase the awareness of the financial, regulator, and reputational consequences of cyberattacks, breaches and data loss and be central to risk and security planning. These discussions will ensure risks are reviewed, funded or accepted as part of the organization’s business strategy.
Demetrios “Laz” Lazarikos is a 3x CISO, the president and cofounder of Blue Lava.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!