To deliver an effective cyber security programme and operations you need the Board to both champion and provide funding for your work. With this comes an expectation from the Board that you will provide a means of measuring and tracking improvements to the organisation cyber risk position. Whilst you might be justified in providing basic early management information, reporting cyber risk as very high using a judgement based qualitative assessment to start with, you will soon lose the board if you are unable to move to granular informative quantitative risk assessment. So what does your Board need to know as you grow the cyber maturity of your organisation?
Stages in reporting cyber risk to the Board
“Don’t know how good we are, so what do we report to the Board?”
Assuming you are using a “probability” and “impact” qualitative risk reporting approach, you are left with little option but to probably report cyber risk as very high for both these measures. What can really help to validate any assessment you make, is to have an external independent company aggressively test your organisation.
Simulate a real attack on your organisation’s critical assets, by conducting a Red Team type test from both outside and inside. Nothing validates whether your cyber controls work more effectively than performing this type of test.
Anything else is just burying your head in the sand and hoping things will be okay. Remember this provides real evidence to the Board on the likelihood of an attack being successful; no Board is going to ignore this and it helps justify funding
“Testing Regime and Maturity Assessment against a recognised Industry standard”
So you have your Board’s backing and funding, what now. The board will want to track the improvement you are making, and not “we have implemented new firewalls”. So choose a recognised cyber security industry standard, establish a baseline for the organisation and demonstrate improvements in maturity against this. Set a short to medium term target maturity for the funding you have and report if you are on track to achieve this. I would recommend NIST (https://www.nist.gov/cyberframework) as in my experience through working with other public and private organisations globally, this is the standard most widely used. Now you can also start reporting cyber risk using the organisation’s maturity as a proxy for probability and impact. If you are making improvements in the IDENTIFY, PROTECT and DETECT NIST domains, then it should be right to assume the probability of an attack is reducing, if the improvements are in the RESPONSE and RECOVERY domains, then the impact of an attack is reducing. If you can, again have an external independent assess you annually. This means you are not marking your own homework, and they are able to provide experience from their other clients as to your maturity against your peers and the evolving capability of attackers.
“Know your attackers, real time control assessment and practise cyber breach scenarios”
When the government issues its Terrorist risk assessment rating, do you think it is a best guess? No, using intelligence on potential attackers, their methods and means, and the security control in place (Eg. Policing) the rating is set. This is the optimal way to report cyber risk to the board. Invest in knowing your attacker and their methods, constantly validate whether the controls you have in place would stop them, and practise cyber breach scenarios for response and recovery with the business. If you are able to do this, then you should be able to report cyber risk to the Board as a real-time measure that will fluctuate over time. So this means reporting reducing risk as you make improvements within the organisation, along with, and just as important, increasing risk as attackers employ new techniques, or new vulnerabilities are announced or your organisation profile makes it a higher target (eg. Geopolitical tensions). This type of assessment does require a high maturity and investment in skilled staff and IT system telemetry, not something achieved overnight!
Whatever stage of cyber maturity your organisation is at, transparent, clear, relevant reporting means that your Board can make decisions around funding and prioritisation that could be the difference between an effective cyber security programme and a catastrophic cyber attack.
For more advice on cyber security Board reporting, please contact firstname.lastname@example.org or call +44 203 603 4733.