You can use X-Analytics to effectively communicate your cyber resilience strategy with your chief executive officer (CEO).
Opening Summary
Before learning how to communicate with the chief executive officer (CEO), it is important to understand duties (or responsibility) of the CEO, and it is important to understand what the CEO wants to hear from you.
This support page will describe how to effectively communicate your cyber resilience strategy with your CEO.
What are the responsibilities of the CEO?
The CEO is responsible for the company's success, which means the CEO is responsible for day-to-day operations. An effective CEO delegates action to other executive leaders, such as CFO, CRO, and CIO. Everyone in the company works for the CEO.
The CEO's interest in cybersecurity often revolves around understanding the impact it has on the organization's overall strategy, financial health, and reputation.
Since the CEO works directly for the corporate directors, the CEO understands the company's cyber risk condition is a direct reflection of their ability to optimize the business.
Like the Board, the CEO is concerned about protecting shareholders, paying out dividends, protecting the company's reputation, and ensuring legal and regulatory requirements are being met. Unlike the Board, the CEO is concerned about day-to-day operations and measuring the success of the other executive officers.
What does the CEO want to know about their cyber risk condition?
The CEO wants to know if the business is optimized for the greatest success and that their cyber risk condition will not introduce an unexpected outcome that adversely impacts revenue or margin.
In short, they want to know that their cyber risk condition will not:
erode shareholder value
reduce dividend payouts
violate legal or regulatory requirements
damage company reputation
adversely impact revenue and margin
and other
To help with the above, it is important to express the company's cyber risk condition in way that could easily be understood by the CEO. For example:
Express the cyber risk condition in a context that allows the CEO to compare with other operational risks.
Provide trending to indicate if the cyber risk condition is getting better or worse based on an expected target state.
Supply prioritized risk remediation options in case the cyber risk condition is undesirable.
Supply optimized risk transfer options in case the cyber risk condition is undesirable or to explain the company's ability to offset damages, post cyber incident.
Articulate cyber budget requirements with an estimated return on investment for each budget item.
Illustrate current state of compliance in relation with expected target states.
and other.
To effectively communicate X-Analytics with your CEO, please follow the steps below:
Step 1. Expressing the Cyber Risk Condition
To express your cyber risk condition with the corporate directors, you need to start by going to the X-Analytics Report Center.
With the Report Center, select Cyber Risk Summary.
Focus 1: Exposure Ratio
The exposure ratio is the company's estimated annual cyber exposure divided by the company's annual revenue. This value considers all possible losses multiplied by the probability of such losses.
This value allows the CEO to compare the company's cyber risk condition with other operational metrics (especially when those metrics are also normalized as a % of annual revenue) to determine if the cyber risk condition warrants special attention.
There is always a chance the CEO will believe the current cyber risk condition is acceptable and that it does not require additional attention or use of finite resources.
Focus 2: Cyber Exposure
The cyber exposure is the company's estimated aggregation of all possible losses multiplied by the probability of those losses. The value is further divided into key loss categories, which can be directly related to legal and regulatory requirements, risk mitigation decisions, and risk transfer decisions.
This value allows the CEO to understand the estimated financial exposure due to cyber incidents, with a further understanding of how that value maps back to key loss categories. If the value is undesirable, then the CEO may ask about risk mitigation or risk transfer options.
Focus 3: Cyber Exposure Trending
The cyber exposure trend represents the company's cyber exposure and the company's exposure ratio over a period of time. The trend shows monthly values in conjunction with a current value.
The trend allows the CEO to understand if the company's cyber risk condition is getting better or worse, and how the current condition aligns to a target state. If the CEO is concerned about the direction of the cyber risk condition, then they can ask about options t improve the cyber risk strategy in order to protect shareholder value, dividend payouts, company's reputation, and other.
Focus 4: Exposure Ratio Target Analysis
As an optional feature, you can set the company's Cyber Exposure Tolerance. This setting establishes a set of thresholds for low risk, medium risk, and high risk target zones. This setting gives you and the CEO a quick intuitive understanding of company's exposure ratio, which can help expedite a "peace-of-mind" or a "need for action".
Setting the company's Cyber Exposure Tolerance is easy. You just need to go to the Profile Builder, select Company Profile, enter "tolerance" in the search field, and then specify the high risk threshold, moderate risk threshold, and low risk threshold. The threshold values are represented as a % of annual revenue.
After setting the company's Cyber Exposure Tolerance, go back to the Report Center, select Cyber Risk Summary, and view the company's Risk Level (adjacent to the company's Exposure Ratio).
This value allows the CEO to quickly understand if the company's Cyber Exposure is acceptable or if it requires further attention. Ultimately, you should aim for having acceptable cyber risk. That would be an excellent outcome from a meeting with the CEO.
Focus 5: CIS CSC Control Implementation and Targets
In addition to cyber exposure values, you can show the CEO the company's current CIS CSC implementation and implementation targets. This view intertwines the topics of risk and compliance (or cyber maturity). To show the company's CIS CSC implementation, go to Report Center, Control Framework, select CIS CSC, and then view CIS CSC results.
This view helps the CEO understand the company's current CIS CSC Alignment (scale is 0% to 100%), the current CIS CSC Implementation Group achievement (scale is 0 to 3), and how the company's CIS CSC implementation aligns to Unaddressed Cyber Exposure.
Additionally, you can show the CEO the implementation of each CIS CSC function in relation to a target state. This view allows the CEO to quickly determine where to focus finite resources on cyber risk improvement (if one or more functions are below target state).
Focus 6: NIST CSF Control Implementation and Targets
In addition to cyber exposure values, you can show the CEO the company's current NIST CSF implementation and implementation targets. This view intertwines the topics of risk and compliance (or cyber maturity). To show the company's NIST CSF implementation, go to Report Center, Control Framework, select NIST CSF, and then view NIST CSF results.
This view helps the CEO understand the company's current NIST CSF Alignment (scale is 0% to 100%), the current NIST CSF Tier achievement (scale is 0 to 4), and how the company's CIS CSC implementation aligns to Unaddressed Cyber Exposure.
Additionally, you can show the CEO the implementation of each NIST CSF function in relation to future exposure benefit if fully implemented and the NIST CSF tier category achievement in relation to a target state. This view allows the CEO to quickly determine where to focus finite resources on cyber risk improvement (if one or more tier categories are below target state).
Step 2. Expressing the Risk Remediation Options
If the CEO is concerned about the company's cyber risk condition, then provide risk mitigation options.
Focus 1: Top 5 Control Areas to Reduce Financial Exposure
For a high-level and simple list to prioritized mitigation options, you can start with the Top 5 Control Areas to Reduce Financial Exposure.
This table illustrates the top 5 controls domains that offer the best exposure improvement if those control domains where fully implemented. It might help if you express the combined benefit of the top 5 controls.
The table allows the CEO to understand available risk mitigation options, and how those options could be leveraged to reset future target expectations. The CEO could rely on future trending to see if those expectations are being met.
Focus 2: CSI CSC Prioritized Guidance
Deeper than the Top 5 Areas to Reduce Financial Exposure, you can show the CEO the full prioritized list of CIS CSC controls. To show the company's prioritized guidance based on the CIS CSC framework, go to Report Center, Control Framework, select CIS CSC, and then view CIS CSC results.
This view helps the CEO understand the company's current implement of each CIS CSC control and the maximum exposure improvement benefit for each control if implemented at 100%. The CIS CSC controls are sorted in order of "best" to "least" improvement opportunity. This view is especially meaningful to the CEO in two ways:
It allows the CEO to make decisions beyond just the top five prioritized controls.
It allows the CEO to see that all controls are not equal in benefit despite what is being pushed by compliance.
In addition to the full CIS CSC control list, you can show the CEO which CIS CSC functions offer the best exposure improvement if implemented at 100%. This view gives the CEO an opportunity to adjust strategy and better align finite resources toward protecting shareholder value, reputation, and other.
Focus 3: NIST CSF Prioritized Guidance
Deeper than the Top 5 Areas to Reduce Financial Exposure, you can show the CEO the full prioritized list of CIS CSC controls. To show the company's prioritized guidance based on the CIS CSC framework, go to Report Center, Control Framework, select NIST CSF, and then view NIST CSF results.
This view helps the CEO understand the company's current implement of each NIST CSF category and the maximum exposure improvement benefit for each category if implemented at 100%. The NIST CSF categories are sorted in order of "best" to "least" improvement opportunity. This view is especially meaningful to the CEO in two ways:
It allows the CEO to make decisions beyond just the top five prioritized controls.
It allows the CEO to see that all controls are not equal in benefit despite what is being pushed by compliance.
In addition to the full NIST CSF category list, you can show the CEO which NIST CSF functions offer the best exposure improvement if implemented at 100%. This view gives the CEO an opportunity to adjust strategy and better align finite resources toward protecting shareholder value, reputation, and other.
Since most company's work toward a NIST CSF Tier target (such as 3.0), you can show the CEO the company's estimated "revised" exposure per each tier achievement. This view can also help the CEO validate if the current NIST CSF tier target state needs to be adjusted to better protect the company.
Focus 4: Mitigation Simulator
For CIS CSC and NIST CSF, you can show the CEO the mitigation simulator to illustrate an estimated return on investment. To show the CEO the Mitigation Simulator, go to the Report Center and select Mitigation Simulator.
Within the Mitigation Simulator, specify the budget, select the controls that are being updated with the budget, and specify the improve implementation per control via the budget.
This view helps the CEO easily understand return on investment per cybersecurity project. Ultimately, this view helps the CEO from misallocating finite budget.
Step 3. Expressing the Risk Transfer Options
If the CEO is concerned about the company's cyber risk condition, then provide risk transfer options. Go to the Risk Transfer Analyzer.
Within the Risk Transfer Analyzer, go to Estimated Impact of Transfer on Cyber Exposure. This table illustrates the benefit of risk transfer (cyber insurance policy) on the company's cyber exposure. From a quick observation, you can easily determine if there are gaps in insurance coverage or if there is limited cyber insurance benefit.
This table shows cyber insurance benefit per loss categories, with a further division of interruption and misappropriation to cover finer details.
The CEO can use this table to understand risk transfer and to reset future expectations for risk transfer.
Post Incident: Estimated Risk Transfer Benefit
Proactive or reactive understanding of risk transfer benefit per cyber incident is available within X-Analytics. This can be accomplished by going to the Risk Transfer Financial Simulator.
Within the Risk Transfer Financial Simulator, select the loss category and size of incident.
This table illustrates the insurable impact in relation to total impact for a specific cyber incident.
The CEO can use this table to understand risk transfer benefit per incident (reactively or proactively) to determine how the incident will alter shareholder value or company reputation. Additionally, the CEO could use this information with the CFO, CRO, CISO, and other executives to discuss self-insurance, cash on hand, and other liability options.
Black Swan Incident: Understanding a Worst-Case Condition
Proactive or reactive understanding of worst-case conditions is available within X-Analytics. This can be accomplished by going to the Risk Transfer Financial Simulator, selecting a loss category, selecting the largest incident, and then selecting "worst-case" within the Loss Selector.
The CEO can use this table to determine insurance benefit in relation to total impact per worst-case cyber incident.
Step 4. Determine Materiality Post Cyber Incident
If there is a cyber incident and if the CEO needs to determine if the cyber incident is material, then use the Cyber Impact Estimator. You can show the CEO the Cyber Impact Estimator by going to the Report Center and selecting Cyber Impact Estimator.
Within the Cyber Impact Estimator, find the related loss category and select the magnitude of the incident. For guidance, please use the list below:
Data Breach: For data breach, select the number of records compromised within the incident.
Interruption (DoS Attack): For interruption (DoS attack), select the duration of the incident. This selection is only related to denial-of-service related interruption incidents.
Interruption (Other): For interruption (Other), select the duration of the incident. This selection is related to malice- and error-based incident that are not related to denial of service attacks.
Misappropriation of IP: For misappropriation of intellectual property, select the value of intellectual property, in relation to revenue, that was stolen within the incident.
Misappropriation of Funds: For misappropriation of funds, select the value of electronic funds, in relation to revenue, that was stolen within the incident.
Misappropriation of Services: For misappropriation of services, select the value of critical services, in relation to revenue, that was compromised within the incident.
Ransomware: For ransomware, select the duration of the incident.
Ransomware + Data Breach: For a ransomware incident that includes a data breach, select:
data breach and select the number of records compromised within the incident,
and ransomware and select the duration of the incident.
Special Note: You will need to combined both estimated for total damage.
This view allows the CEO to see estimated damages from low to worst-case. Based on the magnitude of the incident, 90% of companies will experience low damages, 50% of companies will experience median damages, 10% of companies will experience high damages, and 3% of companies will experience worst-case damages.
If the CEO determines the incident to be material, then the CEO may be obligated to report the incident to shareholders and other constituents. Additionally, the CEO may want you to determine estimated recovery from cyber insurance and may want you to update the cyber resilience strategy to build confidents with shareholders and other constituents.
In Summary
To avoid common communication mistakes when communicating the CEO, use the X-Analytics guide "Effective Communication with CEO". This guide helps you focus on what matters most to the CEO to ease cyber anxiety or stimulate action. Notice how quickly your message resonates and how fast you get the support you need.
Comments