A major challenge for the modern CISO involves trying to communicate cyber security issues upstairs to the C-suite and Board. The most common approach I've seen involves translating threats, vulnerabilities, and risks into so-called business language - whatever the heck that means. The result always seems awkward and weird to me - sort of like someone trying to describe revenue and expense to a physicist by sketching opposing force vectors.
Last week, I spent a productive afternoon with a company called TechDemocracy. Located near Menlo Park (the light bulb town in New Jersey, that is), the company focuses its efforts on helping enterprise security teams bridge the difficult language gap between experts and non-experts in cyber security. I was keen to understand how they approached this pervasive problem, and I'm glad I spent the time. Here is what I learned:
The TechDemocracy model for how cyber risk is communicated across a corporation involves three participants: First, there is the operational team, where day-to-day risk issues are examined in the context of practical implementation. Second, there is the management team, where the interpretation of cyber risk in business terms begins. And finally, there is the board of directors, where the appropriate goal is to understand cyber risk for improved governance.
This model might seem straightforward, but in practice, the communication often breaks down at the seams, resulting in games of telephone tag. The operations team might report, for example, an alarming and troubling increase in false positives. Managers, looking for a silver lining, might suggest that this increase is actually the result of more intense scrutiny. If the CISO does not push back, then the board will be treated to a positive story of improved detection.
"The communication gap is often significant between the typical enterprise security team and the executives in a corporation," explained Sri Patibandla, CEO of TechDemocracy. "The problem is that the team members working across these corporate levels use varying means for explaining relevant security issues. This includes the use of different numeric metrics for measuring cyber risks."
The framework TechDemocracy has created for dealing with cyber risk communication issues involves establishment of four strategic areas for the CISO team: Strategic Advisory, Cyber Security Technology, Cyber Risk Governance, and Audit and Assurance. These four areas form the basis for creating and managing a set of cyber security risk metrics that can establish a uniform, common interpretation across all levels of the corporation.
The cyber risk dashboard from TechDemocracy, called Intellicta, is designed to integrate ingested information from across the corporation into a series of quantified indices, including ones focused on breachability, compliance, and entity risk. Each of these indices is constructed from numeric estimates, consistent with COBIT ranges, that address both risk and liability concerns. An overall risk quantification is computed as well.
Now I am fully aware that a framework and dashboard for cyber risk are not going to solve the problem of board members not knowing the difference between a Kerberos and a Kardashian. And I also know that frameworks and dashboards will not solve the problem of nail-biting managers hiding awkward cyber risk from nervous boards. But the TechDemocracy approach looks sound, and should be considered by CISO teams to improve their communication of risk.