What CISOs Need To Tell Their Boards About Cyber Security
Put security in the context of business and operational risk
By Now, Your Company’s Board Of Directors
Should Have Gotten The Message: Cyber Security
Is Their Responsibility Too
Over the last few years, shareholders have filed lawsuits against directors and officers at companies like Target,
Wyndham Worldwide, Heartland Payment Systems and TJX Companies following massive data breaches. Those suits
charged that these parties failed to meet loyalty and fiduciary responsibilities because of inadequate information security
controls, policies and procedures.
Indeed, boards are concerned about cyber risks, though they are not always as engaged as they should be, according
to PwC in its key findings report from the 2015 US State of Cybercrime Survey. Thirty percent of participants say, for
instance, that there is no board engagement in this area at all, compared to 25% who report full Board of Director
engagement in security issues, planning and decision making.
The PwC report recommends that security executives should not wait for the board to ask questions about cyber risks
and cyber security preparedness. Rather, CISOs and CSOs should proactively and regularly update the board on what’s
being done to monitor and mediate against cyber risks.
How will you as an IT leader act on that advice? What will you tell your board members that your company is doing to
protect its most valuable assets, and how do you best convey that information?
What will you tell your
board members that
your company is doing to
protect its most valuable
assets, and how do
you best convey that
One suggestion is to start by reminding them that we’re now operating in a cloud-first world. Tell them that your team is
driving hard to keep business-critical applications and data that reside in on-premises, private, and hybrid clouds safe
amid a growing number of points of access that hackers can use to launch an attack.
What CISOs Need To Tell Their Boards About Cyber Security 1
Key Talking Points
Ideally, you’ll be able to communicate the following about your security arrangements:
You’ve seen past approaches
fall down on multiple counts.
You’ve changed strategy to
address the changing threat
Your current plan emphasizes
total, integrated security.
While these approaches have value, your board needs
to know that ultimately they leave your enterprise with
too many disparate systems; too many alerts with too
little cause and resolution information; and no protection
against zero-day threats that exploit unknown computer
Relying on point systems or Security Incident and Event
Management (SIEM) solutions also results in there being
too much of a focus on how something bad happened,
versus a proactive approach that involves understanding
how current activity means that something bad is about
Make it plain to your directors that the threat
environment is expanding. Tell them that to combat it,
you are pursuing the deployment of a comprehensive
and integrated security solution.
To that end, you must explain that your concentration
has been on moving beyond implementing discrete
defense disciplines – perimeter defenses, log
management, vulnerability management, and endpoint
security – and even Defense-in-Depth layering tactics,
which have fallen short.
Highlight the fact that your efforts instead now veer
towards a holistic and adaptive security solution that can
complement existing security deployments so that ROI
What matters today is a multi-layered security
architecture that takes a “predict, detect, and neutralize”
stance spanning premise-based, cloud and hybrid
What CISOs Need To Tell Their Boards About Cyber Security 2
An Integrated Approach
A modern, agile security architecture must include the ability to automatically recognize patterns in
network behavior that let you find threats before they occur – a capability that can be enabled by
adaptive behavior analysis and machine learning.
Such an architecture should include:
• Real-time analytics
• Continuous expert monitoring
• Perimeter/interior protection
• Peer-level information sharing
• Operational ease of use
What CISOs Need To Tell Their Boards About Cyber Security 3
Experts suggest that your discussions with the board should be framed
in the context of risk, which as business people they are primed to
understand. So consider including in your presentation statistics that
illustrate risk and its cost, such as:
Masergy’s Unified Enterprise
Security delivers an integrated
approach to advanced threat
The total number of security incidents detected by respondents to PwC’s The Global State of Information Security Survey 2015
climbed to 42.8 million, an increase of 48% from 2013.
Data breaches continue to pack bigger wallops. Over the past year, the cost of data breaches due to malicious or criminal
attacks has increased from an average of $159 to $174 per record, according to The Ponemon Institute 2015 Cost of Data
Breach Study: Global Analysis.
Corporate Headquarters (USA):
2740 North Dallas Parkway, Suite 260
Plano, TX 75093 USA
Phone: +1 (214) 442-5700
Fax: +1 (214) 442-5756
Then, help them understand how your revised approach to security is working in terms of defeating those risks. You can do that best by
showcasing key performance indicators – such as the number of security attacks identified and repelled, the elapsed time from incident
identification to remediation, control cost/effectiveness ratio – that help them quickly grasp the significant impact of your work and measure
its success over time.
Given what’s at stake, it’s never been more critical for directors – and your company’s investors – to stay plugged into cyber security threats
European Headquarters (UK):
29 Finsbury Circus
Salisbury House 5th Floor
London, EC2M 5QQ UK
Phone: +44 (0) 207 173 6900
Fax: +44 (0) 207 173 6899
and what you’re doing to address them. Considering the ease of access that hackers have to tools to do their dirty work – not to mention the
criminal enterprise or state sponsorship behind so many attacks – this problem isn’t going away anytime soon.
Learn about Masergy’s Unified Enterprise Security (UES) solutions at:
Talk to an expert or request a free consultation.
What CISOs Need To Tell Their Boards About Cyber Security