CISOs facing boards need better business, communication skills
According to a recent survey by Veracode and the New York Stock Exchange, 80 percent of boards discuss cybersecurity at nearly every board meeting.
"It's become a really serious issue," said Chris Wysopal, CTO and CISO at Veracode.
Despite the growing interest in cybersecurity, boards still have a long way to go before they're fully educated about cybersecurity.
According to a June study by Fidelis Security and the Ponemon Institute, 26 percent of board members admit to "minimal or no knowledge" about cybersecurity, and only 33 percent say that they are "knowledgeable" or "very knowledgeable."
[ ALSO ON CSO: How CSOs can help CIOs talk security to the board ]
This lack of education is combined with an over-inflated view of their company's security -- 70 percent of board members said that they understand the security risks to the organization, but only 43 percent of IT security professionals agreed that the board understood the security risks to the organization..
Only 18 percent of IT security professionals rated their companies' cybersecurity governance practices as very effective -- compared to 59 percent of board members.
This is a difficult communications gap that needs to be addressed on both the board level and by CISOs themselves.
But that doesn't mean that boards want to hear about all the technical details of the latest security technologies.
"Boards want the CISO to give them risk metrics and peer benchmarking," Wysopal said. "They want to know how they're doing related to like companies. Those are all good things that are going to help boards understand the true risk of cybersecurity."
Instead of focusing on vulnerabilities, or tools deployed, CISOs should focus on easy-to-understand metrics that show how effective the company is at managing security, said Matt Alderman, vice president of strategy at Tenable Network Security.
"This requires top line metrics associated with impacts to the business," he said. For example, that could be the amount of money lost due to security failures.
Operational metrics could also be useful, he said, such as reducing the potential attack surface.
"My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept," said Paul Calatayud, CISO at Surescripts.
Surescripts processed 6.5 billion transactions last year for 98 percent of U.S. pharmacies, so the worst-case cyberrisk scenarios are pretty bad.
Despite that, Calatayud said he doesn't pitch new security projects to the board based on improving security, but based on increasing business value.
Paul Calatayud, CISO at Surescripts
For example, medical fraud has an impact on the company's brand and reputation, so Calatayud started out by getting the marketing department to understand the net benefit of that particular project.
"The board becomes very receptive to that because they see the business content, because the marketing team is on board," he said. "Here's the net benefit to the company. That's how I've approached bringing things that are more company strategic."
It can be hard to justify technology costs by focusing purely on the security benefits, he said.
"Fear mongering, although helpful at one time to garner support, today leads to only short-term support and ultimately undermines CISO credibility," said Adam Vincent, CEO at security firm ThreatConnect. "Instead, the CISO should focus on clearly communicating strategic risks to the business and what is being done to mitigate the risk."
For example, CISOs might be able to get more money for their security projects by attributing the costs to the business unit or organization that will benefit from them, instead of asking for funding in one lump sum, said David Shearer, executive director at International Information Systems Security Certification Consortium.
"CISOs need to bridge the gap between the technical aspects of the information security program and the business value board members are looking for from investments," he said.
For example, when Jason Thomas, CIO at Ruston, La.,-based Green Clinic, was pitching consolidated user accounts to his board of directors, he didn't pitch it as a costly new security project.
Instead, he pitched as a way for doctors to be able to log in to all their systems with just one user name and password, so that they could stop worrying about security, and focus more on their patients.
"That's a business simplifier," he said.
His board, mostly composed of medical professionals, is worried about security, he added.
"But it's a difficult situation because you're trying to educate them without giving them fatigue," he said. "You have to have a light touch with security, and not freak them out."
Whenever a project can be pitched as a business benefit or competitive advantage, that helps, he added.
Eric Cole, Fellow at SANS Institute, said that he's regularly seeing CISO becoming equal to the CIO and reporting to a risk executive, or directly to the board.
"It's security that keeps executives up at night, not IT infrastructure," he said.
Many boards don't know what to look for in a CISO, and how to tell whether a CISO has been doing a good job or not, he said.
"The problem is the metric the board is using today, is if you don't have a breach, then security is doing its job," he said. "And that's a very dangerous metric because we know that everybody will have a breach."
[ ALSO: How to Talk to the Board of Directors ]
Then, once a breach happens, someone falls on their sword -- and that someone is the CISO.
"If you're going to be a CISO in the near future, keep your resume updated, because you're going to be moving around for a few jobs," Cole said. "CISOs are like NFL coaches -- they don't go away, they just go from team to team."
"We've seen CISOs fired after a high profile breach has occurred," said Frank Mong, vice president of solutions for HP Security. "With the level of stress and risk taken on by CISOs today, there is a high rate of burnout. The role of the CISO is no walk in the park."
But there is a way out, said SANS Institute's Cole said.
New CISOs need to start by educating their boards about the relative costs of risks.
How much would perfect security cost How much can the company actually afford What risks is it willing to take
"You have to understand the risk appetite of the executive team," Cole said. "Then you need to define clear metrics for security that they can understand."
There is one more step that corporate boards can take to improve security -- bring a security expert onto their board.
"I think we're going to increasingly see search committees looking for directors who can demonstrate particular technology competencies," said Gerry Stegmaier, partner in the privacy and data security practice at Goodwin Procter LLP.
Earlier this year, for example, Wells Fargo elected retired Air Force Maj. Gen. and commander Suzanne Vautrinot to its board of directors. At Air Forces Cyber, she oversaw a multi-billion dollar global cyber enterprise with 14,000 military, civilians, and contractors.
"This topic has become so important that in a few cases, we've even seen federal regulators encourage boards to add more cyber expertise to the board," said Jim Jaeger, chief cyber services strategist at Fidelis Cybersecurity.