Cyber Risk Exposure: Boards Top Questions for CISOs
This is part one of a four-part series that offers guidance on proactive communication strategies for CISOs, including ways to translate key information and express your actions in executive language, so you can remain focused on the important work of responding to incidents, events and threats equally, in order to mitigate organizational impacts.
When you’ve been breached or find you are vulnerable to a potentially devastating exploit (e.g., the execution of the Log4j vulnerability), it often triggers a series of activities that consume the lives of almost everyone connected to the security team. If you’re the CISO, you know you aren’t in for a lot of sleep until the threat has been fully assessed, contained, mitigated, and ultimately removed—or at least neutralized to the point that your operations can return to a “normal” state.
But CISOs are not the only ones trying to understand and minimize the repercussions of the vulnerability or attack. Other executives on the team also have a vested interest in remaining up to date on progress.
Let’s start with how to prepare yourself to answer question one: “ What’s our risk exposure, and did we experience any impacts?”
Subtext questions to consider:
- Are business-critical systems and data impacted, and how will this impact the business?
- What have we done to limit exposure, and what are we planning to do?
- What about key strategic partners and third parties? Do they expose us to additional risks?
Quantifying the Cyber Risk Exposure: Just How BAD Are We Talking?
What your executives and board really want to know is what’s the likelihood that something bad is going to happen, and just how bad will it be if it does? Risk exposure is calculated by likelihood times impact, but the board obviously isn't thinking in equations. They're thinking about how this is going to impact your business-critical functions, how to keep key data protected, how to keep customers happy and finally, how to continue generating revenue.
When it comes to assessing and reporting on your risk, you will need to analyze all the networks and systems in place to understand exactly how far-reaching your exposure is. You will also need to look across the business to identify any third parties, partners, or supply chain elements that could introduce risks. To get an understanding of what your vendors and strategic partners are doing to limit their exposure (and yours) will likely require some persistence on your part—but it is better to be annoying than caught off guard by a piece of software or integration that leaves you susceptible to attack.
This detailed analysis will help you respond to your board’s concerns about which business-critical systems, data, and operations could be impacted and what that could mean for the business. It also helps you stratify your risk and answer the almost inevitable follow-up questions, such as “Of our high-risk third parties, which ones have this under control, and which do we need to be the most concerned about?”
In addition, you’ll want to take the opportunity to provide insights into:
- Your plans if the exploit is successful
- How to “stop the bleeding” to keep delivering critical functions
- How the business plans to recover
This should include a discussion around all the things you have done—and are doing—to both limit your exposure and increase the resiliency of your operations, including your third-party business ecosystem, so you can keep functioning on a day-to-day basis.
Naming the Impacts to the Business: Bottom-Line It for Us
When it comes to impacts, it really goes above and beyond the tactical responses of your team. You must think holistically to cover all potential technical and business impacts. For instance, you are going to want to assess and report on:
- Costs: What did it cost to respond, recover, rebuild, replace, or transform any affected applications, systems, or infrastructure? What about other costs, such as the churn on the team and other intangibles that resulted from the focus being pulled from other activities?
- Strategic implications: Was there any loss in competitive advantage or market share/position?
- Damage to reputation: Were there any changes in customer satisfaction or loyalty? Did it impact investor relations or the partner ecosystem?
- Legal and regulatory compliance issues: Did it affect compliance obligations or generate any legal concerns? For example, is there any potential for investor/customer lawsuits? Any fines? Was any regulated or confidential data exposed? Are reasonable steps being taken to protect customer data, and how can the business show that due care is being exercised to keep it protected? (The FTC recently released a warning that they intend to use their full legal authority to pursue companies that fail to take reasonable steps to protect customer data from exposure to critical known vulnerabilities.)
- Operational disruptions: Were services or the supply chain impacted? Were any strategic initiatives delayed or put in jeopardy due to these activities? What are the resilience measures in place designed to minimize future impacts?
Walking into meetings with answers to these questions will help you explain to the board what you are dealing with and how you plan to address it to maintain acceptable risk levels.
Check out part two of this series, which looks at how to answer, “Is the situation contained and have we dealt with it adequately?”
Learn more about how to talk to your board about cyber risk exposure and other key issues by watching this video:
Get in Touch
Remember to ask for Unit 42 by name with your cyber insurance carriers if you need incident response services.
If you think you may have been impacted by the Log4j vulnerability or any other major attacks, please contact Unit 42 to connect with a team member. The Unit 42 Incident Response team is available 24/7/365. You can also take preventative steps by requesting a Proactive Assessment.