CISOs face increasing expectations from stakeholders as the impact of a cyberattack extends beyond the IT team to the board room and the market. Cyberattacks impact operations, share value, profitability, brand value, and business viability:

• 47% of businesses face challenges in attracting new customers and 64% have lost customers and business partners following a cyberattack
• A cyberattack caused a 10% decline in share price
• A cyberattack resulted in costs of £32.7 million, far greater than the firm’s prior year profit of £4.3 million
• A national medical script provider collapsed within three weeks of being hacked
• A class action lawsuit that followed cyberattacks against a hospitality provider received a preliminary settlement of $45 million

Cyberattacks clearly have a significant negative impact on stakeholder value and, therefore, optimising cybersecurity is necessary for preserving stakeholder value. CISOs can follow the methodology suggested by Gartner to improve enterprise cybersecurity, avoid stakeholder value erosion, and increase their credibility amongst board members.

How CISO Can Enhance Enterprise Cybersecurity

CISOs can augment enterprise cybersecurity and preserve stakeholder value by

1. Improving Cybersecurity Governance
2. Minimising Third Party Risk
3. Rationalising Cybersecurity Investment

1. Improving Cybersecurity Governance

Cybersecurity governance is the policies and practices that an organisation uses to manage enterprise cybersecurity and align security with business goals. Effective cybersecurity governance, therefore, requires creating a cybersecurity policy that aligns with business goals and then implementing that policy by hiring appropriate cybersecurity talent; clearly communicating roles and responsibilities; and creating accountability for different stakeholders.

a) Creating a Cybersecurity Policy that Aligns with Business Goals

The CISO will need to work with the C-suite and the Board of Directors to understand the short- and long-term business goals and the digital infrastructure needed to support these goals. The organisation’s cybersecurity requirements, such as regulatory compliance, will be framed based on these goals and mapped to a cybersecurity policy.

A policy is only as effective as its implementation and therefore the policy must also specify internal penalties for non-compliance.

b) Hiring Appropriate Cybersecurity Talent

Once the organisation’s cybersecurity requirements are defined, a capability evaluation should be conducted to identify the gap between talent available within the organisation and talent required. Such a gap analysis, aligned with the organisation’s goals, makes it easier to obtain the required talent acquisition budget.

As enterprises may not wish to invest in recruiting and retaining a large cybersecurity team, CISOs may also present an option of using an external cybersecurity specialist to provide the required knowledge, expertise, and talent.

c) Communicating Roles and Responsibilities

Once the policy is created and a team appointed, the CISO must ensure that cybersecurity roles and responsibilities are communicated throughout the organisation with an escalation matrix to ensure that stakeholders have the required support to meet their cybersecurity obligations.

d) Creating Accountability for Different Stakeholders

CISOs must emphasise that the responsibility of maintaining cybersecurity lies with all stakeholders (and not just the IT team) and create a culture of accountability in the enterprise that extends to the Board of Directors, C-suite, business heads, HR, and other functions. Our detailed discussion on building a culture of accountability around cybersecurity provides more information on assigning accountability to stakeholders.

2. Minimising Third Party Risk

Third parties that access enterprise digital assets (devices, networks, data) or provide an essential digital service, including vendors and digital solutions, present a risk to enterprise digital safety that CISOs must manage.

All digital interaction with third parties must first be ascertained through an audit and a risk evaluation performed for each activity based on the depth of the interaction and/or the criticality of the provided service, compliance requirements that overlap with the third party’s functions, and prior cybersecurity events, if any, associated with the third party.

Based on the risk evaluation, appropriate mitigation strategies must be adopted for each third party, which can include,

1. Limiting access to enterprise digital assets
2. Stipulating cybersecurity criteria in contracts
3. Specifying software development best practices to be followed
4. Evaluation of alternative suppliers as part of disaster recovery planning and for pre-emptive migration if the supplier is unable to maintain, or changes from, the desired cybersecurity posture

The audits and evaluation must be repeated, and mitigation strategies reviewed, at periodic intervals to ensure that third parties continue to remain in compliance with the enterprise’s cybersecurity standards even as the business environment and threat landscape keep evolving. Building a Governance, Risk, and Compliance practice, or using external GRC specialists, will enable effective long-term 3^rd party risk management.

Our blog on Cybersecuring the Supply Chain provides more information on how supply chains can be secured.

3. Rationalising Cybersecurity Investment

Businesses do not have infinite resources and cybersecurity has to compete with other business functions for investment. CISOs can improve their budgetary allocation by clearly articulating cyberthreat protection as a return (in terms of costs and consequences avoided) on cybersecurity investment. This requires defining measurable outcomes, demonstrating business value, and advising the Board on cybersecurity investment.

a) Defining Measurable Outcomes

The CISO should be able to provide metrics that function as cybersecurity goals or indicate the effectiveness of cybersecurity investment e.g., number of phishing attempts blocked, improved or targeted Mean-Time-To-Identify (MTTI) and Mean-Time-To-Response (MTTR), compliance achieved or progress towards certification, and patching status. Such measurable outcomes create confidence that cybersecurity investment can be used to achieve specific results.

b) Demonstrating Business Value

The CISO must demonstrate the business value of cybersecurity investment by discussing the direct and indirect financial consequences of cyberattacks on other organisations, and benchmarking the enterprise’s progress on cybersecurity against the industry standard (which indicates if the enterprise will be considered an easy target by cyberattackers, compared to other organisations in the industry).

c) Providing Cybersecurity Investment Advice

CISOs can build their credibility with the Board of Directors by defining measurable outcomes, demonstrating business value, and delivering tangible improvement in cybersecurity with available resources, and function as a trusted advisor to the Board on cybersecurity investment that will help the organisation achieve its strategic objectives and build stakeholder value.

Creating stakeholder value is the ultimate objective of every enterprise and CISOs play a critical role in ensuring stakeholder value is not destroyed by cyberattacks. Contact Us to know more about how K7’s cybersecurity consulting services can help CISOs optimise cybersecurity and preserve enterprise value.