How to Talk to The Board About Exposure

Board Exposure Management

Exposure management tooling can act as an excellent source of truth for cybersecurity leaders as they communicate risk up to the board level. The visibility and data streaming from exposure management solutions makes it easier for CISOs to track security performance over time, quantify improvements in security maturity levels, establish better financial quantification of cyber risk and ensure the organization's exposure levels match up with industry averages.

However, it can be very easy for a security executive to get caught up in the minutiae of exposure management data and fail to see the forest from the trees. Simply dumping exposure management data into a massive slide deck is one of the worst ways to report to the board. Reams of security operational data just floods directors and other executive stakeholders with uncontextualized technical information that feels irrelevant to their concerns about business risk.

So while exposure management platforms will directly feed into the performance metrics that a CISO reports to the board, security executives should only very rarely be presenting direct exposure data. The big exception is when headline events like MOVEit or Solarwinds attacks emerge and the board wants to know current risk status.

"When there are major security events, you want to be able to show that you're proactively managing it," explains Brian Mulligan, vice president of product for security performance at Bitsight. "And then that's when you'd tell the board, we have 1,000 vendors, 800 of them are impacted, 600 of them have remediated and we're working with the other 200 to do so. That's where exposure metrics do have use in the board room."

Instead, CISOs should be thinking of how to bring context and summarization to the risk information that exposure management platforms uncover. Then they need to tell stories in business context. Here are some key tips for presenting the outcomes tracked by exposure management in a way that will be most helpful to the board and business stakeholders.

Summarize Information into a 'Wow' Report

The value of exposure management data is that it makes it possible to create accurate security performance and risk metrics relevant to board audiences. CISOs should consider working with their board constituents to summarize information about cyber KPIs that are fed by exposure data and other relevant cyber risk information into a 'Wow' report, recommends James Lam, president of James Lam & Associates, a board advisory and consulting firm, and a veteran risk management expert and corporate director. As he explains, wow is not an acronym, it's what you're trying to get directors to say once they've read it and heard the presentation.

"You want each board member to say, 'Wow, I have a better understanding about our cyber risk profile. I'm seeing information that I have not seen before," Lam says.

This means ditch the laundry lists of open or closed critical vulnerabilities and move into storytelling and business risk quantification. When Lam was on a corporate working group to develop such a reporting framework, it had six major elements: 
a snappy executive summary written by the CISO about the risk profile and strategy, 

  • a business-audience digest of biggest threat trends impacting the org during the reporting time, 
  • independent security ratings and outside audit results, 
  • a summarized breakdown of trends from security performance data
  • a section offering financial quantification of cyber risk, and
  • a section detailing strategies to improve the most important KPIs detailed in previous sections.

With that kind of summarization established, Lam reports that it became much easier to establish a line of meaningful communication between security leadership and the board.

"It was updated every quarter," he says. "And this facilitated much better decision making at the board level in terms about controls, our cyber risk strategy, our cyber insurance decisions."

Present Security Performance Data Over Time

With regard to the exposure information itself, the most important thing is to take the data and do some simple analysis to contextualize it in a meaningful way for board directors. The raw numbers themselves mean very little to a non-technical director, but the way those numbers are trending are of especial interest. 

"When it gets to the board level, what we want to encourage our CISO champions to do is to deliver metrics the same way that any other part of the business would be expected to," explains Greg Keshian, senior vice president and general manager of security performance management for Bitsight. " If you think about sales, you're going to talk about the results, and then you're also going to talk about key trends quarter-over-quarter and year over year. That way you've got the context behind the results, and it's not just a number in a vacuum."

Whether it's exposures or anything else, CISOs want to talk to the board about the performance trends over time, and compared to peers., This provides context so that board members can actually engage in the conversation at a business level, and make recommendations about how to invest the company’s resources"

Use Benchmarks

In addition to trends over time, board members will be most interested in how their organization's exposure levels and security performance stacks up to some standard benchmarks. This is a commonality of any kind of board reporting, be it financial, recruiting, pricing or anything else. Directors want to know how their performance looks compared to the industry or competitors. 

"Those are the types of things that boards always want to understand so even in a field where they're not an expert, they can understand if things are going well or if further investment or change is needed," Keshian explains.

Prep ahead of time with templates for common urgent reporting requests

One of the big advantages that exposure management visibility affords CISOs reporting to the board is that it gives them a real-time temperature check how much risk a new zero-day or supply chain attack poses to the organization. When these incidents hit the headlines, boards of directors want to know ASAP whether the company's infrastructure is in play this time, how many assets are impacted, what kind of financial risk those exposures open the organization up to, and what is being done to reduce the risk. Exposure management gives CISOs visibility into the scope of assets at risk, contextual information about how the assets are used--including business criticality and sometimes even financial risk quantification. But CISOs still need to take that data and turn it into not only an action plan, but a board report. Security executives with board reporting expertise recommend preparing for the most common scenarios with a board report template for each. These scenarios could include responding to inquiries from the board about zero-day threats, attacks occurring across their industry, and supply chain attacks like last year's MOVEit attacks.

"I would take a certain amount of scenarios—say the top four—and I would make a template. It might include relevant communication like 'We were hit with X, we are doing Y" or it would plan out common observations and metrics that you'd use in that scenario," says Barbara Shurtleff, a fractional CISO, and a boardroom certified Qualified Technical Expert (QTE). "I'd even potentially be making that template in conjunction with the board, asking what they would want to know in each scenario ahead of time."

Then it never feels like a crisis, but instead is a very matter-of-fact reporting activity that's almost perfunctory. A CISO knows the board wants three different metrics in a zero-day scenario and it is a simple enough matter to provide when the ad hoc request is made—especially when the data may show the organization is at low risk to a particular issue.

Always Tie Everything Back to Business Risk

One of the most crucial things to understand about successful board reporting—whether talking about exposures or anything else—is that CISOs want to talk to the board in the context of business risk and business results. 

"While CISOs are certainly expected to be well-versed in cybersecurity and technology, the board is all about business risk," wrote Sarah Kuranda Vallone of venture firm NightDragon and Edna Twumwaa Frimpong of global governance research organization Diligent Institute in a recent piece for the Harvard Law School Forum on Corporate Governance. "CISOs must approach every discussion and potential problem not just from the mindset of a skilled practitioner, but as someone who intimately understands the unique nature of their organization and how security fits in most effectively."

Not only should CISOs be keying each metric and each piece of reporting content on business risk, they should also be mindful of the language used in presentations.

"That means ditching the industry lingo and always speaking in terms of risk to the business, such as how cybersecurity risk could impact revenue acceleration, international expansion, and other strategic topics," Vallone and Frimpong write.