A Risk-based Approach to Cybersecurity, Gaining Support from the C-Suite, and the Board of Directors: DoCRA
Today's CISOs are facing an overwhelming set of challenges that could really hurt their company's bottom line. In an environment of ongoing disruption and eroding trust, where the public lacks confidence that their PII will be protected, and compliance and privacy regulations are driving the cost of a data breach into catastrophic amounts, managing Cyber Risk is a top priority.
And yet only a small percentage of organizations are doing proper Risk Assessments that are consistent with privacy and data protection laws (SEC, HIPPA, CCPA, GDPR etc.) or with any real concern for protecting their customers.
Common Risk Management Methodologies do not facilitate communication in language that translates to “Business Outcomes” or that guides governance in a way that meets “Duty of Care” obligations, so you can’t drive a Cyber Security program through them.
While Cyber Security in the current climate is probably best managed as a C-Suite Team function, most organizations are not there yet. With the new SEC Rules, CISOs in public companies are generally seeing an increase in their level of engagement with boards, but there are still gaps to bridge, from funding levels to strategic goals, and for most private company CISOs, there is even less support.
In many cases, the cause of these gaps is lack of confidence and trust due to ineffective communication. Executives do not have the information they need to feel comfortable making decisions! That is why the Cybersecurity function is so frequently under-funded.
Unless you have recently suffered a breach, CFOs and other C-level executives and Board members will have various competing concerns and priorities, from budget constraints to other strategic investments. They have heard warnings so frequently that it's just background information that doesn't drive their decision-making.
An effective Information Security Program isn’t just about stopping the attacks. It’s about balancing security investments with the needs of management, and all other interested parties. That’s why regulations, courts, and information security standards focus on risk.
RISK ASSESSMENT DONE THE RIGHT WAY
When done correctly, risk assessments set priorities by evaluating the likelihood of harm, they design safeguards that protect the mission, and can determine when certain risks are acceptable.
Safeguards must not be more burdensome than the risks they protect against. Do you reduce risks using safeguards that are not more burdensome than the risks that they protect against?
Can Your C-Suite and Board of Directors Make Informed Decisions?
If you asked your Leadership Team these four questions, how would they respond?
What happens when executives do not have the information they need to make Informed decisions? When they don’t know if they are spending the right amount on Security, and don’t know if they are in a legally defensible position; they approve as little as they think they must!
What are your top 3 challenges in communicating with C-Suite
Reasons that expenditure requests do not get approved
I have worked with Cyber Security clients for many years in creating cost justification business cases, to find budget dollars for a given tool or initiative, usually based on loose hypotheticals, like avoiding the cost of a data breach or increased productivity. In many cases, there was no trust or confidence in the #’s or decisions being made, making it easier to say, no, than yes.
Other reasons may be centered around…
But in most cases, I it boils down to creditability and trust that comes from clear communication and status on how prior investments and initiatives have reduced risks and protected or improved the company’s bottom line.
How can CISOs bridge gaps and secure support for cyber initiatives?
Is there a more effective way to help the C-Suite and Board understand why security needs to be better funded?
Yes: It is the use of DoCRA to guide informed decision making, through full risk lifecycle from assessment to remediation, while at the same time communicating risks in business terms. This will allow you to frame expenditure requests in the context of “unacceptable risk” (as the C-Suite defined it) that “must” be remediated.
The DoCRA Standard creates a common language, method, and understanding so that information security, legal, regulators, customers, and management can address security and compliance together, rather than competing for resources and strategic mindshare.
The Duty of Care Risk Analysis (DoCRA) approach, can drive your Cyber Security Program, creating effective communication with the C-Suite and Board, help you gain their confidence and trust to secure funding, and prioritize where to spend; then as mentioned in the previous article (Disconnect between Cyber Security & Regulators), keeping you from fines and lawsuit in the event of a data breach.
The DoCRA-based approach can foster the ability to nurture customer trust, comply with data security and privacy regulations and enable the C-Suite to think through any trade-offs between security and privacy, and profitable growth. It can facilitate Cyber Security becoming a competitive advantage.
For Customers: The Acceptable Risk Definition is stated in plain language allowing you to explain to customers how their information is appropriately protected.
For the C-Suite and Board: Risks are concisely calculated and prioritized against the needs of customers, business objectives, and external entities. This helps justify investment, create defendable risk calculations, and translate risks into prioritized initiatives.
For Attorneys and Judges: DoCRA allows you to achieve a reasonable implementation of security controls by evaluating your risks in a a manner than aligns with judicial reasoning.
For Regulators: DoCRA helps to balance risks with burdens to match regulators’ expectations for reasonable and appropriate compliance.
For Your Security Team: DoCRA allows you to prioritize what matters to interested parties and to accept risks at a level the organization agreed to.
If an organization wants to be in the best position to communicate to executive management about making decisions on certain investments, if they want to justify in front of a judge why they made the decisions they made, if they want to show a business partner, I'm considering the harm to you, the Duty of Care Risk Assessment will allow all these parties to talk together in the same language.
By using DoCRA you will understand the “overall risk” to your organization and be able to communicate it in business terms, providing a roadmap that reduces risk to an acceptable level (“are we where we need to be and if not, when will we get there?”), and then show risk score reduction across remediation efforts historically.
C-Suite and Board Engagement
DoCRA brings in the C-Suite like no other method, because of the criteria around Calculated, Acceptable Risk. It involves Executive Management, Legal, and Cyber Security working together to decide what is the organization’s definition of acceptable risk? You're defining it upfront. What is your unacceptable hit to your mission?
How the DoCRA approach will help you secure funding for Cyber Security initiatives
DoCRA can be a powerful tool to help earn the the C-Suites’ trust and confidence.
The Big Picture is Progress Over Time
You can present the case for the project or initiative clearly and concretely, establishing trust (in how you have managed security historically) and Confidence (in the quality of decision) based on the information presented to request budget, and suggest cost-effective interventions with a clear record of success and build stakeholder support around a shared strategic view:
You will have three levels of information available for Budget Requests:
Project and cost information, which may be sufficient for expenditure approval, or if more detail is required, there’s Project and Business Impact details and finally Risks and Business Impacts.
Example (Project and Business Impact)
Example (Risks and Business Impacts)
Now Management has the information needed to answer the 4 questions, so the request has a strong chance of approval.
1. Risk Management: “clear line” to know if a Risk “is okay” to accept?
2. Communication: Speaking the same or different languages?
3. Legal Protection: Legally protected?
4. Budgeting: Spending the right amount?
Sample Expenditure Approval Presentation Outline
Agenda
Big Picture: Program Progress Over Time
Since Our Last Review: Program Changes
Roadmap: Planned vs. Actual Risk Reduction (Historic and Future)
List of Unacceptable Risks
Budget Request Level 1: Budget Level (Projects and Costs)
Budget Request Level 2: Project Level (Projects and Business Impacts)
Budget Request Level 3: Risk Level (Risk and Business Impacts)
Sample Executive Status
The Methodology to Support Informed Decision-Making Lifecycle of Risks, From the Executive Perspective.
Assessments: Are we identifying & analyzing risks as we should?
Planning and Approval: Are we creating & approving remediation projects fast enough?
Execution: Are we executing as planned and approved?
DoCRA PRACTICES
Manual Efforts
You can use the DoCRA Standard and CIS RAM for FREE, manually utilizing Spreadsheets. This will require creating your own records of the CARD (Calculated Acceptable Risk Definition) and a Risk Register to capture your assessment and decision rationale information. Then you will also need to create your own Executive Status presentation deck, and the Expenditure Request Deck/Template etc.
DoCRA Practically Applied: CIS RAM
While CIS RAM was built for CIS controls, like any other Risk Framework you can use whatever set of controls you like:
Just follow these three principles