The CISO’s Guide for Reporting Cyber Risk to the Board in 2023


Executive Blog
Written by Aleksandar Radosavljevic, Global CISO, Global Fashion Group
Edited by Liam McGlynn

Aleksandar Radosavljevic

Global CISO

Global Fashion Group

MARCH 14, 2023

Faced with another year of uncertainty and global crisis, protection from ransomware attacks and other cyber threats is clearly a strategic objective for today’s organisations. However, successfully communicating risks and threats to the board remains a critical hurdle for CISOs to overcome. Measuring and communicating risk is a top priority for CISOs in the DACH region, as well as in the broader Evanta CISO community.

In this Executive Blog, Aleksandar Radosavljevic, Global CISO for Global Fashion Group (GFG) and DACH CISO Community Co-Chair, shares his thoughts on strategies CISOs can use to engage various stakeholders within their organisation, how CISOs can reframe their security teams, and examples of effective metrics used to monitor the progress of security programmes.

Education and awareness are about people – the roles each of us play is one of the most critical security controls. Many organisations treat cybersecurity awareness programs like a change management effort. However, this is not an effective practice.

Successful security practices require engaged and informed stakeholders, across all levels – starting from the board of directors and executives. Even the best ‘preventive’ technologies could be easily circumvented using well-crafted phishing emails that can lure employees into exposing their credentials to adversaries. Therefore, it is evident why cybersecurity education and awareness training are so essential.

Strategies to Educate and Engage Stakeholders

The first thing that should be done on the management level is to create a plan with consistent support across the entire organisation, with clear communication about roles and responsibilities. Those efforts should be followed by CISOs taking steps to ensure that they thoroughly understand the objectives, strategy, and mission of their organisation. From there, CISOs should ensure their security culture programmes’ goals are in sync with the wider business goals. Linking security strategies to business goals enables CISOs to drive fruitful conversations with non-IT stakeholders about the value the security program brings to the organisation. 

Moreover, instead of focusing on tech- and threat-centric conversations, CISOs must be business-aligned and speak the language the business understands to get buy-in from senior leadership. CISOs should focus on improving senior leadership’s awareness of cybersecurity risk within the organisation and their resilience to cyber-attacks. This awareness can be supported by ‘lessons learned’ sessions, implemented alongside clearly defined metrics to track the effectiveness of these programmes.
 

Reframing Security Teams from “Cyber Police” to Enablers

We are all witnessing how the last couple of years, especially the COVID-19 pandemic, have influenced the way we are working – being mostly from home. This accelerated the digital transformation journey for many organisations, bringing a positive shift in the way CISO teams enable the business. 

Traditionally, information security teams were mostly seen as gatekeepers of data or organisational ‘cyber police,’ as most of the time, they were focused on governance and adherence to policies. The process of adherence often caused conflict and annoyance among users, and the users’ behaviours would, in most cases, lead to ignorance or circumvention of policies – especially in situations where those policies would prevent them from doing things faster. Information security teams would, in turn, become frustrated that nobody would follow these policies. 

The approach should be ‘trust but verify first’, enabling access to the information while still maintaining the protection mechanisms."


To enable this transformation, information security teams must understand where the sensitive data is, who has the access to it, the overall security posture of that data, the data ‘flow’, and how it is being used. The approach should be ‘trust but verify first’, enabling access to the information while still maintaining the protection mechanisms. Nevertheless, this must support digital transformation at the pace of business.
 

Four Effective Metrics to Monitor Progress of Security Programmes

To effectively communicate the maturity of the cybersecurity program, including efforts and ongoing risk mitigation issues to the organisation, CISOs have to build a metrics program or dashboard that provides and monitors relevant information.

But before CISOs can use the metrics to measure maturity, they need to understand the critical processes within the organisation – across stakeholders and business teams. There are numerous different metrics an organisation could use. However, the best approach would be to categorise them based on function and potential audience.

For example:

  1. Administrative Metrics (Legal, Financial, HR) 

  • Legal – percentage of contracts that requires evaluation of security with specific requirements for breach notification.

  • Financial – percentage of IT budget allocated to information security.

  • HR – the percentage of employees who have attended minimum annual security awareness training, and employees who accepted/acknowledged the organisation’s policies.
     

  1. Vendor Management Metrics 

  • The percentage of vendors who have been audited.
     

  1. Operational Metrics (Information Security and IT Operations)
  • Asset and Software Inventory – the percentage of known assets and systems that are accurately inventoried in an Asset Management System.
  • System Upgrades and Patching
    • Percentage of systems patched within 30 days following notification of critical security patches.
    • Percentage of systems scanned for vulnerabilities on a monthly basis.
  • Multi-Factor Authentication (MFA)

    • The percentage of domain and system admin accounts that leverage MFA.

  • Mean-Time-To-Incident Response and Remediation 

    • Number of alerts or incidents detected every 24 hours.
       

  1. Governance Metrics (Compliance)
  • Incident Response Plan

    • Date since the incident response plan was last tested.

  • Business Impact Assessment (BIA) analysis 

    • Date since the BIA was updated for changes.

  • Business Continuity/Disaster Recovery (BC/DR) Plans

    • Date since BC/DR plan was last tested.”


Aleksandar is Co-Chair of the DACH CISO Community, an exclusive community of CISO executives from enterprise organisations, including Nestlé, RWE, DHL, Siemens Energy, Allianz, Red Bull, and more. Members of the community come together several times a year to connect with each other, exchange ideas and experiences, and validate strategies and solutions.

To find out more about your local community and connect with like-minded peers who share your priorities, apply to join here.