{"id":501,"date":"2024-10-07T07:00:00","date_gmt":"2024-10-07T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=501"},"modified":"2024-10-07T07:00:00","modified_gmt":"2024-10-07T07:00:00","slug":"chief-risk-storyteller-how-cisos-are-developing-yet-another-skill","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=501","title":{"rendered":"Chief risk storyteller: How CISOs are developing yet another skill"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Mastering the art of risk storytelling is essential for CISOs not just for engagement, but for driving meaningful action across the organization. The right story should emphasize cybersecurity risks with the end-goal of grabbing attention that leads to action.<\/p>\n

\u201cWhat gets talked about gets prioritized, so we want to be talking about cybersecurity,\u201d says Bethany De Lude, CISO with the Carlyle Group.<\/p>\n

This isn\u2019t just any old yarn about technical controls. It\u2019s understanding how the business works, mapping the security program to strategic objectives and developing a sophisticated story that uses risk vocabulary in the language of the audience. It\u2019s not talking about vulnerability scoring or speed of patching.<\/p>\n

\u201cThe days of talking about FUD (fear, uncertainty, doubt) are over, that\u2019s a low-maturity conversation. It needs to be something more sophisticated and CISOs must grasp enterprise risk,\u201d De Lude tells CSO. \u201cYou have to be able to frame the conversation for others, speak to their interests in their language and have the right level of detail, these are the ingredients for a good story.\u201d<\/p>\n

What CISOs need to consider to tell the right risk story<\/h2>\n

One of the hacks De Lude uses is to draw on topical news stories relevant to the audience in her risk conversations. It helps join the dots while demonstrating the importance of the security program and the need to avoid being in the headlines. \u201cI frame it in terms of what they\u2019re concerned about, so if they\u2019re on the board, it\u2019s brand risk or regulatory risk, and I talk about the implications and what we\u2019re doing to reduce that risk through the security program,\u201d she says.<\/p>\n

Even so, there are challenges in adopting the right language. The risk terminology is limited and can restrict the discussion, according to Alexander Hughes, director of cybersecurity and compliance with Visa. To address this, he suggests quantifying risk in terms of loss or degraded assets \u2014 diminished functionality or value due to attacks \u2014 which is easier to understand within a cybersecurity story. \u201cIf you can talk about risks as costs, there\u2019s more nuanced language such as revenue loss. So, if a service is attacked and not functioning, the asset is degraded or destroyed, and revenue is lost,\u201d he says.<\/p>\n

Adding to the challenge, Hughes thinks organizations are playing a guessing game when it comes to knowing the likelihood of risk. He says that humans aren\u2019t good at calculating the chances of a risk happening and organizations aren\u2019t very open about sharing attack data that would help these calculations. \u201cThere\u2019s not a great governmental store of data about the types of attacks, by frequency, severity and mode of exploitation, which means that we\u2019re kind of guessing,\u201d he says.<\/p>\n

This is why following a consistent risk management process helps build a clear record of past risk decisions and outcomes and this record is crucial for accurately predicting future risks, which will help in telling a more informed risk story.<\/p>\n

UST CISO Joey Rachid agrees there\u2019s a need to better understand and present risk in ways the organization will understand. Aligning it with business goals and communicating in the right language is critical. \u201cWe have to realize that as executives we\u2019re there to support the business and therefore we need to communicate in terms that resonate with the business leaders,\u201d he says.<\/p>\n

However, he learnt early on in his career that formulating risk using something like the NIST maturity<\/a> view didn\u2019t make much sense to the board and other executives. Likewise, going into too much technical detail is a way to quickly lose the audience and the trust you hold as a CISO.<\/p>\n

\u201cThey\u2019re not going to learn our trade craft, so you need to quantify risk in terms that make sense to your business. If you\u2019ve lost your audience, you\u2019ll lose the competence that they see in your ability,\u201d he tells CSO.<\/p>\n

Rachid has found the story needs to speak to the concerns of senior executives, typically material risk and the impact on the business and the bottom line. He shifted his approach to identifying risk \u2014 including material and unique risks \u2014 to the business and communicating those risks in terms that anyone could understand, for example a breach can result in reputational harm to a business.<\/p>\n

For the message to really hit home, he recommends quantifying risk according to the business, so the audience understands exactly what you\u2019re trying to explain. \u201cMy previous organization was an automotive company, so it was easy for me to tell stories using the analogy of a car because we all understand the risks of being on the road, not buckling your seatbelt and these things,\u201d he says.<\/p>\n

How the story of risk builds CISO credibility<\/h2>\n

Risk is integral to being in business and in many ways it\u2019s unavoidable. Indeed, risk can sometimes be a good thing, especially if managed well. \u201cAs risk managers, identifiers and people who treat risk, we don\u2019t always need to look at it as a bad thing. It\u2019s a part of life, it\u2019s a part of business,\u201d says Rachid.<\/p>\n

When CISOs understand the fundamentals of business and move away from couching risk as purely technology and cybersecurity to consider the broader context, it helps build rapport and credibility. \u201cThis builds your trust and competence in the executive team and the board, and they\u2019ll be more likely to listen to what you have to say when you\u2019re talking about those risks,\u201d Rachid says.<\/p>\n

The role of metrics and data in the security-risk story<\/h2>\n

The risk narrative should also be grounded in relevant metrics without overwhelming detail. The aim is to paint a picture about a particular type of risk and that requires knowing how best to tell that story within your context.<\/p>\n

\u201cI selectively pull metrics into storytelling that provide data to reinforce an important theme and layer in statistics and learnings from industry reports, such as the Verizon\u2019s Data Breach Investigation Report and IBM\u2019s Cost of a Data Breach Report,\u201d says De Lude.<\/p>\n

If it relates to third-party risk management, then it might be talking about how many vendors are being managed, how it\u2019s that trending, what\u2019s the regulatory landscape and how important is that, according to De Lude.<\/p>\n

She\u2019s found there\u2019s always a lot of interest in hearing about how the cyber program aligns with peers, but again it\u2019s a case of not overwhelming the audience. \u201cFolks always want to hear about how their cyber program aligns with industry benchmarks, but I don\u2019t use dials and gages. I show the most important things for us to go after and use a gap analysis to show where we are relative to our peers and what I think we should do next,\u201d she says.<\/p>\n

Even so, there\u2019s still a little scope for a touch of showmanship to keep the audience interested and to break risk down into everyday metrics. \u201cIf it\u2019s a town hall with the finance department, come prepared so you can say \u2018hey, finance professionals, did you realize you\u2019re one of the top three departments that gets targeted and here\u2019s why you\u2019re a target\u2019,\u201d she says.<\/p>\n

Whether it\u2019s a formal board meeting, committee meeting, town hall or just a hallway chat, the goal is to avoid making people feel silly because they don\u2019t know the specialist vocabulary. Her approach is to break risk down into consumable parts using simple vocabularies. \u201cI\u2019ve learnt time and again that gaps reveal themselves when jargon is removed. So, I make sure I can answer three key questions: Will the story resonate? Is it consumable? Have I addressed the listener\u2019s concerns?\u201d<\/p>\n

Defending the story and honing the storytelling skills<\/h2>\n

Creating a compelling narrative is also important to bolster the case for investment in the cybersecurity program, when it comes to restructuring or starting a new program it becomes very important.<\/p>\n

Hughes estimates the base set of requirements in the Center for Internet Security Controls Framework is a $2 to $3 million expense. \u201cThat\u2019s a massive expense, so that storytelling and dialogue between you and the rest of the company to create that new, forward expense is significant,\u201d he says.<\/p>\n

However, just as some stories have their skeptics, CISOs also need to be able to defend their risk story, particularly when there\u2019s big dollars attached to it. De Lude has found it can be helpful to stress test the story or presentation with challenge sessions. \u201cI might invite different people to a run through and explain the concept and ask for potential objections to test and develop a robust narrative,\u201d she says.<\/p>\n

De Lude has found that drawing on internal expertise of people with strong communications skills can help learn how to project a story in a way that\u2019s compelling. \u201cHaving someone lend support who wasn\u2019t a cyber expert but knew how to really convey a strong message in all sorts of different ways was a gamer change,\u201d she says.<\/p>\n

Her advice to other CISOs is to consider buddying up with marketing, communications or salespeople who might help with selling the story of the security program. \u201cThey\u2019re not technology communicators, they\u2019re business communicators, and that\u2019s what a CISO needs to be \u2014 a business partner who happens to be a cyber expert,\u201d she says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Mastering the art of risk storytelling is essential for CISOs not just for engagement, but for driving meaningful action across the organization. The right story should emphasize cybersecurity risks with the end-goal of grabbing attention that leads to action. \u201cWhat gets talked about gets prioritized, so we want to be talking about cybersecurity,\u201d says Bethany […]<\/p>\n","protected":false},"author":0,"featured_media":502,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/501"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=501"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/502"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}