What CISOs Need To Tell Their Boards About Cyber Security



What CISOs Need To Tell Their Boards About Cyber Security

Put security in the context of business and operational risk

By Now, Your Company’s Board Of Directors

Should Have Gotten The Message: Cyber Security

Is Their Responsibility Too

Over the last few years, shareholders have filed lawsuits against directors and officers at companies like Target,

Wyndham Worldwide, Heartland Payment Systems and TJX Companies following massive data breaches. Those suits

charged that these parties failed to meet loyalty and fiduciary responsibilities because of inadequate information security

controls, policies and procedures.

Indeed, boards are concerned about cyber risks, though they are not always as engaged as they should be, according

to PwC in its key findings report from the 2015 US State of Cybercrime Survey. Thirty percent of participants say, for

instance, that there is no board engagement in this area at all, compared to 25% who report full Board of Director

engagement in security issues, planning and decision making.

Be Proactive

The PwC report recommends that security executives should not wait for the board to ask questions about cyber risks

and cyber security preparedness. Rather, CISOs and CSOs should proactively and regularly update the board on what’s

being done to monitor and mediate against cyber risks.

How will you as an IT leader act on that advice? What will you tell your board members that your company is doing to

protect its most valuable assets, and how do you best convey that information?

What will you tell your

board members that

your company is doing to

protect its most valuable

assets, and how do

you best convey that


One suggestion is to start by reminding them that we’re now operating in a cloud-first world. Tell them that your team is

driving hard to keep business-critical applications and data that reside in on-premises, private, and hybrid clouds safe

amid a growing number of points of access that hackers can use to launch an attack.

What CISOs Need To Tell Their Boards About Cyber Security 1

Key Talking Points

Ideally, you’ll be able to communicate the following about your security arrangements:

You’ve seen past approaches

fall down on multiple counts.

You’ve changed strategy to

address the changing threat


Your current plan emphasizes

total, integrated security.

While these approaches have value, your board needs

to know that ultimately they leave your enterprise with

too many disparate systems; too many alerts with too

little cause and resolution information; and no protection

against zero-day threats that exploit unknown computer

security vulnerabilities.

Relying on point systems or Security Incident and Event

Management (SIEM) solutions also results in there being

too much of a focus on how something bad happened,

versus a proactive approach that involves understanding

how current activity means that something bad is about

to happen.

Make it plain to your directors that the threat

environment is expanding. Tell them that to combat it,

you are pursuing the deployment of a comprehensive

and integrated security solution.

To that end, you must explain that your concentration

has been on moving beyond implementing discrete

defense disciplines – perimeter defenses, log

management, vulnerability management, and endpoint

security – and even Defense-in-Depth layering tactics,

which have fallen short.

Highlight the fact that your efforts instead now veer

towards a holistic and adaptive security solution that can

complement existing security deployments so that ROI

isn’t sacrificed.

What matters today is a multi-layered security

architecture that takes a “predict, detect, and neutralize”

stance spanning premise-based, cloud and hybrid

network environments.

What CISOs Need To Tell Their Boards About Cyber Security 2

An Integrated Approach

A modern, agile security architecture must include the ability to automatically recognize patterns in

network behavior that let you find threats before they occur – a capability that can be enabled by

adaptive behavior analysis and machine learning.

Such an architecture should include:

• Real-time analytics

• Continuous expert monitoring

• Perimeter/interior protection

• Peer-level information sharing

• Operational ease of use

What CISOs Need To Tell Their Boards About Cyber Security 3

Experts suggest that your discussions with the board should be framed

in the context of risk, which as business people they are primed to

understand. So consider including in your presentation statistics that

illustrate risk and its cost, such as:

Masergy’s Unified Enterprise

Security delivers an integrated

approach to advanced threat




The total number of security incidents detected by respondents to PwC’s The Global State of Information Security Survey 2015

climbed to 42.8 million, an increase of 48% from 2013.

Data breaches continue to pack bigger wallops. Over the past year, the cost of data breaches due to malicious or criminal

attacks has increased from an average of $159 to $174 per record, according to The Ponemon Institute 2015 Cost of Data

Breach Study: Global Analysis.

Corporate Headquarters (USA):

2740 North Dallas Parkway, Suite 260

Plano, TX 75093 USA

Phone: +1 (214) 442-5700

Fax: +1 (214) 442-5756

Then, help them understand how your revised approach to security is working in terms of defeating those risks. You can do that best by

showcasing key performance indicators – such as the number of security attacks identified and repelled, the elapsed time from incident

identification to remediation, control cost/effectiveness ratio – that help them quickly grasp the significant impact of your work and measure

its success over time.

Given what’s at stake, it’s never been more critical for directors – and your company’s investors – to stay plugged into cyber security threats

European Headquarters (UK):

29 Finsbury Circus

Salisbury House 5th Floor

London, EC2M 5QQ UK

Phone: +44 (0) 207 173 6900

Fax: +44 (0) 207 173 6899

and what you’re doing to address them. Considering the ease of access that hackers have to tools to do their dirty work – not to mention the

criminal enterprise or state sponsorship behind so many attacks – this problem isn’t going away anytime soon.

Learn about Masergy’s Unified Enterprise Security (UES) solutions at:


Talk to an expert or request a free consultation.


What CISOs Need To Tell Their Boards About Cyber Security


Similar magazines