A key challenge companies face when tackling cyber risk is the communication gap between the specialist – often the Chief Information Security Officer (CISO) - and the generalist board. According to Willis Towers Watson, a majority of executives around the world are stumped by this “specialist-generalist” dilemma, especially as it relates to whom takes the lead on cyber resiliency within a firm.
The results of a global survey conducted by The Economist Intelligence Unit (EIU), sponsored by Willis Towers Watson, came back with only 8% of executives saying their CISO or equivalent specialist performs above average in communicating the financial, workforce, reputation or personal consequences of cyber threats. This indicates that there’s vast room for improvement in the communication of cyber risk.
“A CISO, or equivalent cyber specialist, needs to be able to communicate cyber risk with the board in a way that helps them understand how it impacts on their business,” said Tim Rees, director of cyber risk solutions, Great Britain, Willis Towers Watson. “Although we talk about the board being a generalist collective, each person in the room has their own expertise.
“Whether it’s the chief executive officer (CEO) wanting a corporate overview, the chief financial officer (CFO) wanting to talk numbers and how cyber risk could impact the bottom line, or the chief human resources officer (CHRO) wanting to culture and educate the workforce, the CISO needs to present information that everyone finds value in. This can be a very difficult prospect, especially when you’re a specialist trying to communicate a very technical issue.”
To close this communication gap, Willis Towers Watson is providing CISOs with tools that can help them quantify and translate the vulnerabilities found in their cybersecurity maturity assessments, explained Anthony Dagostino, global head of cyber risk with Willis Towers Watson. The accessible tools produce a dashboard-style executive summary, which CISOs can use to translate cyber exposure into dollar value.
Another key element to improving corporate cyber resiliency is the establishment of partnerships. For example, as workforce vulnerabilities contribute to most cyber incidents, two-thirds of the companies surveyed by EIU and Willis Towers Watson said they believe the HR and Information Security partnership is key. When asked who should take the lead in developing employee-related cyber risk policies, 54% said HR should lead with the help of Information Security and 28% said the opposite.
“These findings are encouraging because they signal that more organizations are involving their HR function in addressing cyber risk,” said Dagostino. “Still, organizations need greater collaboration between their CHROs and their CISOs to truly assess the organizational culture driving cyber risk in the first instance. The solution isn’t always more security awareness training. It could be a leadership or incentives and rewards issue, things that fall squarely within the function of the CHRO.”
Over the past few years, many corporate entities have been focused on the technical aspects of cyber risk, according to Rees. Like Dagostino, he said the survey results are “encouraging” in that they indicate companies are starting to take a more holistic view of cyber exposures. He expects the next few years to continue showing a shift in corporate focus from technology and systems security to the cultural aspects of cyber resilience as well as cyber insurance and risk transfer.