This is the sixth in our series sharing thought pieces from the CISO Desk Reference Guide: A Practical Guide for CISOs, volume 1. In the following excerpt from Bill Bonney’s essay for Chapter 6, beginning our section on governance and risk, Bill discusses how to communicate risk to senior leadership. Please enjoy.

Communicating Risk to Senior Leadership

In trying to educate executives and boards of directors, information security professionals tend to focus too much on the technical aspects of the “it won’t happen to us” side of the equation. As a result, we discuss system vulnerabilities and programmatic attack, without adequately setting the context of the business reasons why the likelihood is going up (i.e., the changing risk/reward equation for cyber criminals) and the potential business impact of successful attacks (for example, disruptions in the supply chain). Without this context, it is difficult to inspire the changes in behavior required to address the growing risks.

To address this, some information security professionals have focused on the ROI of security programs versus the impact of cyber incidents. It is undoubtedly a good idea to focus on ROI, but the calculations are often subject to error. Two contributing factors are 1) misunderstanding the changing values for likelihood as the number of actors, the number of vulnerabilities, and the economic incentives of cybercrime continue to alter the discussion from “if we get breached” to “when we get breached,” and 2) underestimating the cost in time, focus, and money of recovering from an actual breach.

Most information security professionals have accepted the near certainty of a breach as axiomatic for well over a decade, but the executive team has only recently been starting to agree. Worse, very few organizations can successfully determine the likely cost to the organization if a breach occurs. Insurance companies charge a wide range of premiums for policies, and each breach brings a new collection of publicly minded and litigation-prone groups with a point to make. Compensating individuals for data loss, paying the regulator’s fines, and replacing credit cards are no longer the most significant cost factors.

Also, many biases impact our reasoning when we are unsure of the outcomes. These biases, such as the status quo bias (taking the current state as a baseline), present bias (valuing current certainties over future uncertain outcomes), and the overconfidence effect (rating ourselves better than objectivity would suggest,) operate against us when we are not confident of our facts or the outcome of our actions. When we attempt to explain the risks and the changes in behavior that we’re advocating in response to those risks in a non-technical way it often leads to over-simplification, which the media reinforces with constant over-dramatization.

It is extremely difficult to motivate the executive team to act if we cannot frame the reasons to change behavior in business terms.

By this point, I hope I’ve built the case that one of the critical responsibilities of the CISO is to educate the executive team on the business impact of cybercrime. Explaining first what a cyber failure will do to the bottom line puts the discussion about countermeasures in the proper context. For example, “To avoid disruption to the supply chain during season ramp, we’re taking the following steps” is a more motivating action plan than “To avoid malware attacks, we’re forbidding employees to use their work laptops for holiday shopping.”