Download our “CISO's Guide To Reporting To The Board” eBook to get the scoop on metrics that matter to the board.
What you’ll learn:
- By 2026, 50% of executives will have performance requirements related to cyber risk built into their employment contracts.
- How this reframes accountability for cyber risk
- How CISOs and executives can adapt to this new world order of cyber risk management by speaking a common language
As incidents of ransomware and data breaches continue to escalate and employees make more decisions with cyber risk implications, accountability for cyber risk is increasingly moving into the executive suite. According to Gartner, 88% of boards now view cybersecurity as a business risk rather than solely a technical IT problem. And by 2026, Gartner analysts predict that at least 50% of C-level executives will have performance requirements related to cyber risk built into their employment contracts.
CISOs must help business leaders succeed in this new world order and arrive at a place where executive performance and cyber risk management go hand in hand. To do so, they convince corporate leaders that cybersecurity is a real threat to the business–and show them why in terms they understand.
Here are three ways to do it.
1. Show the correlation between cyber risk and business risk
The stakes are high. Yet, CISOs still have a hard time convincing executives and board members that cybersecurity directly correlates with a company’s bottom line.
They need to understand that:
- The average cost of a cyber breach is a staggering $44.35 million.
- The EU’s GDPR data protection law can impose fines equivalent to 4% of worldwide turnover or up to €20 million.
- Some of the biggest penalties handed out so far include Amazon (€746 million), H&M (€35.3 million), and Italian electric and gas distributor, Enel Energia (€26.5 million).
- There are significant reputational (who can forget the Target, Capital One, and SolarWinds breaches), lost productivity, and service disruption costs (notably the Colonial Pipeline ransomware hack).
Plus, in the U.S. the SEC is also cracking down on lax security practices. The new SEC proposed rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, aims to toughen requirements for cyber risk management and incident reporting by public companies – and their executives. A similar rule was proposed for the financial sector. Both rulings will penalize companies for deficient cyber disclosure controls and measures.
2. Don’t focus on the technical stuff
The C-suite and board doesn’t want to hear about how many intrusions the corporate firewall prevented in the past 12 months. They want to know:
- How would those intrusions impact the business if successful?
- Which systems would have been impacted?
- How does all of this translate into financial or other impacts?
CISOs can do this by quantifying cyber risk in financial terms. In the past this has involved lengthy studies by teams of consultants. Today, advanced data analytics and automation make it easier than ever for organizations to simulate their financial exposure across hundreds of thousands of cyber events, including ransomware, denial of service, regulatory compliance issues, supply chain attacks, and more.
Armed with these insights, CISOs can guide leadership discussions around cyber risk management, prioritize cybersecurity decisions, and justify new technology investments.
They can also drill down and diagnose the underlying causes that impact financial exposure and help business leaders understand how that exposure changes as investments are made in security controls.
3. Keep executives in the loop–but keep it simple, too
Because executives and board members are now being held accountable for cyber risk – by their companies and regulators – it’s imperative that CISOs provide a view into the company’s security performance over time. That way, executives can understand if and how security measures are driving improvements.
For instance, using continuous monitoring and security ratings, CISOs can convey risk levels in terms of an easy-to-understand score. The lower the company’s security rating, the more improvements are needed. The higher the number, the better the company is doing.
That’s good news for CISOs because it shows their efforts are paying off. It’s also good news for executives who will be more likely to meet their cybersecurity performance requirements.
Bottom line: cyber risk is business risk
In today’s threat landscape, companies can no longer afford to ignore the financial impact and business disruption of a cybersecurity incident. Cyber risk is business risk, and, quite rightly, executive performance must be tied to the organization’s security performance. But for company leaders to make timely and informed risk decisions, the onus is clearly on CISOs to make sure they have the right information at their fingertips.
Learn more about how the cybersecurity leader’s role can be reframed. Download our eBook: CISOs Guide to Reporting to the Board.