Contact Us

Cyber risk
posture: How to
quantify it for
boards of directors

Author: Mark Stone

With stories of cyber crime appearing in the headlines with alarming frequency, now more than ever, it is essential for chief information security officers (CISOs) and their security teams to communicate the value of their work.

Boards of directors are pressuring CISOs for more comprehensive communication regarding cyber risk posture, including risk associated with third parties. But quantifying and clearly conveying the value of security services to the board can be a challenging process.

CISOs need to learn how to demonstrate in clear and convincing terms that their work is valuable and essential. They must make a compelling case for cyber security investment in a language decision-makers will understand.

Essentially, when it comes to communicating the value of their work and the importance of a robust cyber risk posture, CISOs are taking on the role of a salesperson.

Cyber risk posture: Why do CISOs need to communicate the value and the importance of a robust cyber security posture?

  • Security incidents are common. Raising awareness of the importance of cyber security and winning the support of decision-makers is critical. Ransomware, artificial intelligence (AI), and attacks on cloud services are all on the rise. The Verizon 2021 Data Breach Investigations Report found an increase in phishing and ransomware attacks in 2020, with 85% of breaches involving a human element. Without full support, cyber security teams could easily find themselves overwhelmed, and their cyber risk posture weakened.
  • Top-level decision-makers aren't always on board with cyber security needs. According to Security Magazine, "a lack of senior executive buy-in or understanding" is one of the primary factors inhibiting a strong culture of cyber security and prioritization of cyber security posture. With such a palpable disconnect between security teams and the board, the need for a shared understanding of the risks and issues is crucial.
  • Board members often lack cyber security knowledge and experience. In one survey, only 6% of respondents were confident they had a board member who was highly knowledgeable about cyber security. In these cases, needs and warnings can go overlooked. Today and for the foreseeable future, CISOs must be a voice of education and authority in the boardroom.
  • The landscape is constantly changing. With new threats being discovered consistently and the severity of those threats increasing, the tools that worked in the past may no longer be sufficient today. Now, companies need to assess and update their cyber risk posture constantly. This costs money and requires buy-in from high-level decision-makers—making it essential to communicate effectively with them.

Communicate cyber security posture to board members

When broaching the topic of cyber risk posture with the board, it's useful to follow a strategy that balances the basics with the imperatives.

Think in terms of risk

Security should always be a response to specific risks. Instead of a vaguely defined overall strategy with one-size-fits-all solutions, your cyber security processes should examine how the business—revenue, IP, assets—is at risk and how the security strategy responds to those risks.

Armed with this knowledge, you gain a better understanding of how security investments relate to specific business objectives and specific risk vectors. The more data you have, the better position you'll be in to communicate clearly with higher-ups about how a strong cyber security posture solves particular problems and prevents other adverse outcomes.

Tie it to specific business outcomes

How can a strong cyber risk posture benefit the bottom line? Board members, first and foremost, are concerned with the company's growth and its profits. If you treat cyber security as an abstract entity, you risk losing their interest and support.

Instead, emphasize how cyber security directly impacts business outcomes. Many board members have been conditioned to view cyber security as something for CISOs and their teams to worry about—it's now your job to show them that it affects everyone.

Use examples from other companies to highlight what is at stake—the Verizon 2021 Data Breach Investigations Report contains numerous examples. Then, clearly show how your team's actions could help prevent such disasters from taking place.

You don't always have to accentuate the prevention of negative outcomes. A strong cyber security posture can yield purely positive results; for example, businesses perceived as more secure also may be perceived as more trustworthy and thus gain a competitive advantage.

Use real tests

Simulating attacks and running crash tests to measure resilience—the ability to respond quickly—can help highlight weaknesses and provide a concrete picture of your cyber risk posture and how well-equipped your organization is to face real threats.

Simulations such as red team/blue team exercises and cyber ranges are also practices that mimic real-world situations. Successfully defending against simulated tests can be an excellent component in demonstrating to board members the value of threat mitigation practices you have put in place. Be sure to focus on the appropriate risk areas and clearly highlight how your organization, through preparation, can help avoid negative outcomes when faced with a cyber attack.

For CISOs and security teams, communicating the value of security to board members is now another crucial part of the job. You'll need to ensure they're fully on board and well-educated on the pressing and growing need for up-to-date, sophisticated security as attacks increase in effectiveness and frequency.

Learn how Verizon can help you to provide the visibility you need to demonstrate your worth to important stakeholders and supercharge your cyber security posture.