I was the corporate technology representative for an information risk committee meeting attended by senior level executives from finance, HR, legal, physical security, internal audit and our external auditors. External audit conveyed that they needed to brief the board on the potential cybersecurity threat. The problem was if this was conveyed before we had some response, all it would do is create concern and a probable fire drill approach that would not be productive.\nQuestions were raised around how to best convey our overall corporate cybersecurity status as well as across each division. The board awareness needed to happen asap, and I took on the task of leading the effort to define an approach within one quarter, otherwise the Board would need to be briefed by external audit regardless. The pressure was on, but it was both reasonable and necessary.\nI interviewed some large well-known, as well as niche, cyber-focused professional services firms that all had established cybersecurity approaches, but all seemed very heavy in terms of both initial effort and ongoing upkeep. None provided the clear dashboard perspective we were looking to convey, and after a few weeks I hadn\u2019t gotten anywhere other than to better understand what I didn\u2019t think would work. \u00a0\nA solid cybersecurity perspective needs to be looked at through a time dimensional lens\nFortunately, it was mid-December and I got an idea that hit me while once again watching the timeless \u201cA Christmas Carol.\u201d Now, we all know the best way to convey something is through a clear story, which is what Dickens did so well. And the wisdom of Charles Dickens\u2019 approach with the ghosts of Christmas past, present and yet to come actually resonated with me! My own experiences reinforced that this was the perspective I thought we should convey, which covered:\n\nThe Past \u2013 What have we experienced in terms of significant incidents, and what have we learned and done about them?\nThe Present \u2013 What\u2019s our risk relative to threats we\u2019ve heard about in the news and what are we doing about them?\nThe Future \u2013 What do we need to worry about in the future based on business plans and evolving threats, and how does that impact our forward planning?\n\nA continuing status update focused on key business impact metrics and initiatives, ideally on a basis that dovetailed into Board meetings, would be necessary to ensure that proper attention was focused based on relevant past, present and future perspectives. That certainly didn\u2019t preclude immediate notifications and actions that could occur based on actual incidents or perceived threats, and those items would be included in the next status update. While this provided the time perspective on how we were doing, it didn\u2019t address a point of reference needed for a methodical cybersecurity posture.\nWhat is being used as the basis for determining cybersecurity risk?\nChenxi Wang, Ph.D., the Managing General Partner of Rain Capital and a Board member, provides guidance that the question to ask isn\u2019t \u201chow secure are we?\u201d as that\u2019s not based on any assessment framework,\u201d and would just an opinion that\u2019s based on individual perspective. \u00a0Understanding your security posture requires a combination of understanding both the threat matrix to your company and some basis for assessing your cybersecurity risk.\nDr. Wang states that \u201ccybersecurity risk needs to be discussed in the context of other risks the business faces \u2013 all the significant risks of the company. How those risks are assessed as needing Board attention or not should be using a similar risk framework and assessed every 6 months or so.\u201d\nThe simple analogy I often use relates to the security protection you decide to implement for your home. \u00a0You can have glass sensors on every window, and smoke, heat, water, carbon monoxide, motion detectors and cameras in every room. You can have multiple locks on every door. \u00a0You can have 24x7 monitoring and homeowner insurance. Yet no one can guarantee you won\u2019t get robbed, your house won\u2019t catch on fire or won\u2019t be flooded. And while insurance will certainly mitigate your costs, your life will be disrupted for a long time, and you might never be able to replace some precious valuables. \u00a0Yet you decide how much insurance you need (based on what needs to be protected), and on how much is prudent.\nIt\u2019s really no different from a business perspective. You might be legally protected from third party cyber incidents through legal contracts and covered financially with cyber insurance, but what\u2019s the impact to your company reputation even with those protections?\u00a0 How will it impact any of your ongoing processes, or your consumer or business relationships until remediated?\nYour business risks and necessary protection will vary based on the type of business you have. As with your personal life, you need to decide which assets (data, system access, etc.) you need to protect?\u00a0 And what is the impact if those assets are compromised?\nAt the conglomerate where I worked, we were comprised of different businesses even though they were all media related. The risks confronting a subscription TV\/On Demand business differed from a live news organization, an ad supported broadcast network, a TV and movie production company, or the corporate parent entity. While we had standard Information Security policies across the entire enterprise, the degree with which they had relevance varied across business units.\nWhat assets need to be protected in your company?\nThis requires you to think about what really matters to your company. Some areas to consider include:\n\nConsumer information (whether in house or third-party managed for your company)\nRegulatory compliance (including state and government, domestic and international), such as PII, PCI, GDPR, CCPA, HIPPA, etc.\nSupply chain (digital or otherwise)\nBrand reputation (including social media impact and public or B2B facing websites)\nIntellectual property protection, including strategy and plans\nEmployee information (including confidential third-party personnel information)\nNon-public financial and contractual information\n\nTo uncover this requires frank discussions with the all business leaders in every department \u2013 as well as with your external accounting firm. What information needs to be protected, and where is it located, including your third-party relationships?\u00a0 What is being done outside of the technology department involvement in the Cloud?\u00a0 Working with, and educating, business leaders and being in it together with them must be established. You must be able to build the trust that you\u2019re there to help them and the business, and the risk tolerance is a business decision that you can help guide them on.\nCybersecurity frameworks and standards then need to be applied as a basis for determining where you stand. Some standards below can be considered but I would suggest rolling them up to convey a summary level status, and in a way that conveys the potential business and financial impact for current and future cybersecurity plans:\n\nCenter for Internet Security, Inc. (CIS) Critical Security Controls (CSC)\nNIST's Cybersecurity Framework (CSF)\nSANS Top 20 Controls\nThe EU's GDPR (General Data Protection Regulation)\nThe California Consumer Protection Act (CCPA)\nISO 27000 series (International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC))\nNational Association of Corporate Directors (NACD) Cybersecurity guidelines\n\nHow is your cybersecurity risk impacted by funding and how do you compare to your peers?\nTo continue with the Christmas Carol reference, financial diligence is crucial to determining your cybersecurity position and Ebenezer CFO has an important role to play (please don\u2019t take offense, as he does turn out well in the end!)\nThere usually is some industry guidance on spending, such as the Financial Services Sector Cybersecurity Profile, that you can utilize for your spending assessment. I would explore which makes sense with your audit firm as well as with your key cybersecurity firms based on any industry expertise they might have (although they might not have any relevant to your industry or company structure).\nBut aside from that perspective, how does budget spending impact your situation? If your CFO, CEO or Board asked you these two questions, how would you respond?\u00a0\n\nDo you need more funding for our cybersecurity program, and if so, how will that reduce our risk?\nIf you\u2019re asked to cut 10% from our cybersecurity budget, how would that increase our risk?\n\nSo how much do we spend?\u00a0 Do we approve that request for more resources, or the new artificial intelligence\/machine learning (AI\/ML) threat prevention tool?\u00a0 How is risk conveyed in a business perspective?\u00a0 A well-accepted best practice is to use a risk-based approach that seeks to determine if the cost of putting adequate precautions in place merits the potential risk impact. It can be a simple 4 quadrant perspective of low to high risk on one axis, and low to high cost on another, and can help you assess where your limited spending should go.\nUnfortunately, as I learned at an IBM Executive Conference, people generally make decisions based on current certainties over future uncertainties. That\u2019s supported by an article by Dr. David Rock in Psychology Today \u201cA Hunger for Certainty - Your brain craves certainty and avoids uncertainty like it's pain\u201d that hits upon the principles of how we deal with certainty vs. uncertainty. We\u2019re wired to automatically avoid uncertainty and explains why we prefer current things we know over future things that are less immediately negative for us. It explains the resistance to an increased current financial cost increase versus the uncertainty of whether and when we\u2019ll have a cybersecurity incident and what that financial impact will be.\nI have many examples of CISOs who have been asked whether their request for additional resources will occur again next year or in a few years. The CISO can\u2019t really say, as both internal and external factors can impact the answer. I advise them to ensure that they convey the reason driving their request \u2013 is it a company-controlled event, such as acquisition integration costs taking their new venture to a n improved security profile?\u00a0 If so, the decision is to be made whether those changes are business justified, as that\u2019s a business decision. Or is there a new business extension (such as direct to consumer) that has created cybersecurity impact?\u00a0 Or a new business location that needs to be secured?\u00a0 The business needs to feel like it has some control, and is not just a victim, over these decisions. That can only be made with a proper assessment framework and understanding of how the business is impacted by potential cybersecurity incidents vs. preventative mitigation costs.\nSince the likelihood of having some type of cybersecurity incident is high, you also need to be prepared for an incident response \u2013 operational, statutory, and public facing. This is all impacted by the specific incident, your type of business, how you\u2019re technically structured, your third-party dependencies, and the potential impact of different types of cybersecurity events. This can also be treated in the similar risk-based approach defined above.\nThe straight talk\nCybersecurity isn\u2019t a black hole of funding unless you let it be treated that way. There are tradeoffs and tough decisions to be made that you\u2019re accountable for as a senior executive. You need to be ready to answer questions around the organization\u2019s cybersecurity maturity and the frameworks established to manage emerging threats. You should ensure that cybersecurity status is framed similarly to how other business risks are managed, in terms of the impacts potential security incidents have on the business assets.\nPartner with your CFO and CHRO (and COO if you have one), as well as with your Chief Legal Officer, internal or external audit, to help provide a basis for this. Being able to succinctly explain the potential risk, and the cost of mitigating it, in business terms is your responsibility as a CIO\/CTO\/CISO. While some executives dislike seeing cybersecurity issues documented for reasons that may be financial, legal or political, sticking one\u2019s head in the sand doesn\u2019t avoid the oncoming train about to hit you. It\u2019s your fiduciary responsibility to convey this responsibly in a business understandable perspective, and to build proper stakeholder support since it\u2019s not your issue but one for your company.