Who doesn't know this stuff? Most of the people on your company's board or in the C-suite don't. They're not going to understand your technical terms, nor will they care what the acronyms mean.
What the suits want to know is how much cybersecurity risk the organization is running, how much it will cost to mitigate the highest-priority issues, and what it all means for the bottom line.
"When discussing cybersecurity with leadership, the conversation shouldn't revolve around the number of assets or findings," wrote Robert Huber, Chief Security Officer at Tenable, in a recent blog post. "Those are operational metrics that generally hold little interest for the C-suite. What they truly want to know is: How does this impact the business?"
For more information:
What is exposure management?What is continuous threat exposure management?How to grow vulnerability management into exposure management The key to presenting information-security issues to the board or to top executives, and to make the case for more resources for your team, is to get rid of the jargon and the finer details. Instead, present a broad overview with a clear narrative, including a backstory and a likely future outcome.
Most importantly, give them measurements of the company's risk. Business planners want to see past numbers, present numbers and projected future numbers - known indicators of progress (KPIs). Exposure-management platforms like Tenable One can continuously generate unified, context-based risk assessment scores to track the entire organization's security posture and the potential business impact.
Remember, you don't need to scare the top brass or predict the apocalypse if your recommendations aren't followed. These people deal with business risk every day, and they won't take the bait. Simply show them how you plan to mitigate the risks you're responsible for, how doing so will help the company, and what you'll need to get the job done. Then let them make the decisions.
How to communicate to the suits
A good CISO, CSO or CIO leads a double life. Part of it is spent with the IT, dev and SOC teams in their cubicles, receiving technical reports, discussing improvements and mitigations and laughing at "Star Wars" jokes. The other part of it is spent in executive offices with great exterior views, attending planning meetings, talking long-term business strategy and laughing at golf jokes.
The key part of the job is translating the desires and needs of each side of this dual existence to the other side. The good cybersecurity leader explains the suits' point of view to the nerds, and the nerds' point of view to the suits. He or she sees and understands both worlds and acts as the intermediary between them.
That's why it can be a disaster when an information-security leader or manager goes to the executive floor and drowns the audience in jargon and baffling numbers.
I once worked for a nice guy whose quarterly informal company meetings were a litany of business terms: EBITDA, ROI, fixed costs, margins, deliverables, incentivization, high- vs. low-funnel. Few of the science and tech journalists, photo editors and illustrators on staff understood any of it. They didn't have MBAs. They just wanted to know if the company was doing well.
When you're an infosec leader addressing the C-suite - or a business executive talking to the SOC team - don't make the same mistake. Keep it simple, but don't assume that your audience is simple-minded. Most of them are smart people whose areas of expertise just happen to be different from yours.
In a different blog post, Tenable's Huber lists five things that the executive team and the board "truly care about":
How much cyber risk is the organization carrying?Does it exceed our appetite?What's the potential business impact of this risk?What are the most critical areas to address?What's the cost of inaction, and which risks are we willing to accept? You want to be able to give them answers to all these questions, clearly and succinctly. Tell them where the company is now, where it was six months or a year ago, and where it will be six months or a year into the future.
Feel free to use PowerPoint slides to illustrate your presentation, but keep it very short. The first slide should sum up what you're going to say, the next three or five slides should each make an important point, and the last slide should again sum it up.
And be prepared to answer questions about things that aren't in your presentation. For example, there may have been a big breach or other major security incident in the news recently. The executives might want to know how the company would have handled that, and if the threat still exists. Have answers ready if you need them.
How to get the numbers you need
We've left out the most important part: the metrics. No businessperson is going to make decisions based on your hunches. You need to present numbers, but the traditional CVSS (Common Vulnerability Scoring System) score isn't going to be enough, as it measures only the objective severity of a vulnerability, and not the actual risk to your business.
Exposure management considers each organization's business risk. Key parts of the vulnerability assessment process are validation and prioritization: Does this vulnerability, misconfiguration or other weakness, whatever the CVSS score, present a real risk to the company? Is there a viable attack path by which it could be exploited? And if so, how bad could it be?
Tenable One calculates a priority rating called a VPR for each vulnerability, taking into account the CVSS impact score but also the age of the vulnerability, the number of company products or assets that might be affected, the threat sources and known events involving that threat, and whether an exploit for the vulnerability exists and how long the exploit has existed.
As part of its discovery stage, the exposure management process also inventories and analyzes each known asset and its importance to the business. With that information, Tenable One calculates an Asset Criticality Rating (ACR), taking into account the type of asset, its location, its business purpose, what it's connected to, and what it does.
The VPR and the ACR are then combined to form an Asset Exposure Score (AES) for each asset. The average of the AES's across a sector of the organization, or the entire organization, yields the Cyber Exposure Score (CES), which can range from 0 to 1,000.
Because exposure management is a continuous process, and Tenable One can generate new Cyber Exposure Scores at any time, these metrics provide an easy-to-understand set of KPIs that can be used to track progress in risk reduction. A gradual trend reducing the CES will be welcomed by any business executive, as would a plan to reduce it even more rapidly.
Different cybersecurity companies use different scoring systems. Tenable, through its sponsorship of a new association called the Exposure Management Leadership Council, is trying to establish, in Huber's words, "a standardized, repeatable and defensible process for measuring and reporting on risk" that will apply across all companies and exposure-management platforms.
If the initiative succeeds, it may end up creating "something akin to a cyber version of the accounting industry's generally accepted accounting principles (GAAP)," Huber adds. And that's something you'll definitely want to be able to present to the board.