Views on Cybersecurity Threat Information Sharing Between CISOs and the Board From Bay Dynamics Chief Executive Officer Feris Rifai

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Bay Dynamics recently released a report that surveyed information technology and security officers about the types of cybersecurity activity they report to their board of directors. The report concluded that chief information security officers (CISO) and the board of directors don't adequately share cybersecurity threat information.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Daniel R. Stoller posed a series of questions to Bay Dynamics Chief Executive Officer Feris Rifai on the current difficulties information technology and security officers have presenting actionable cybersecurity threat information to the board of directors and what both sides can do to fix the problem.

Bloomberg BNA:

The Bay Dynamics report indicates that CISOs are confident on what cybersecurity threat information to present to the board and what type of information the board wants to hear. However, much of this information is either misunderstood or too technical. What can the CISOs do to streamline the process to provide more actionable information?


In order for the board to make decisions regarding an organization’s cybersecurity risk posture, they need quantitative information that is framed in the context of relevant business concerns.

The challenge for the modern CISO is to translate cybersecurity risk into a language that non-security practitioners can understand and use to drive decisions. The cybersecurity metrics shared may differ from one company to the next; but, ultimately you want to provide your board with highlights of significant risks to the business in an effort to help them achieve effective oversight and facilitate the right action that can help you reduce your company’s cybersecurity risk.

For example, as an IT and security executive, you may want to inform the board how you are currently protecting the company’s crown jewels (e.g. employee credentials, customer credit card information, health care records, trade secrets, etc.), and then describe how the risk to these crown jewels can be mitigated by making certain investments. Do this in plain English and without security-specific technical jargon. Quantify what’s at stake (the value at risk), what you are currently doing about it, and what else you can do to reduce your cybersecurity risk.

Another example could be discussing the kind of attacks you’re seeing on companies in your industry, such as compromised third party vendor credentials who have access to the company’s crown jewels, and then providing an assessment of the business impact of such an attack with an estimated dollar amount in loss of sales, reputational damage, liability, etc., and finally making a recommendation to the board as to managing that very risk. This in turn helps you and your board justify an investment that may be much needed for you to prevent or drastically reduce the likelihood of such an event.

IT and security executives should also provide progress reports over time regarding how those decisions helped reduce the overall cybersecurity risk of the organization. This enables your board to see how their decisions directly impacted the cybersecurity risk posture of the organization.

Ultimately, cybersecurity is a risk management problem. IT and security executives want to show the level of risk the organization faces today and that by taking certain actions the board can help reduce it. The board understands and speaks the language of risk. By speaking the board’s language, IT and security executives will be able to gain their support in helping them improve the organization’s cybersecurity risk posture.

Bloomberg BNA:

Cybersecurity reporting is dominated by manual methods—i.e. manually imported excel files. What are the pros and cons of a manual method? If a manual method is not a best practice is there technology that exists to automate the process?


I don’t think there are pros of using a manual method however there are plenty of cons.

Most enterprises have siloed IT and security systems and teams, and cobbling together board reporting manually by compiling spreadsheets that include subjective data massaging to make everything line up has significant downsides. Not only is it a major drain on resources and productivity, but it can also provide a false sense of security that hides serious deficiencies from both the IT/security executives and in turn the board.

Whether it is due to intentional manipulation or human error, it leads to incorrect reporting and oversight of important data. In the end, IT and security executives may wind up with outdated and/or partial data, or overlook critical data that the board needs to make informed decisions.

IT and security executives need a repeatable, automated and traceable process to reflect the organization’s true cybersecurity posture. There is technology that provides that. We call it “The Great Unifier.” User and entity behavior analytics combined with advanced situational awareness software unifies organizations’ security controls by collecting data from them and producing automated, accurate reports that reflect the organization’s cybersecurity risk posture.

The software adds a layer above organizations’ security detection tools, providing a consistent view across data sets and enabling IT and security executives as well as the board to make good, informed decisions. The software helps organizations measure, communicate, and reduce their cybersecurity risk. It distills what’s happening in their environment down to providing information IT and security executives can serve to the right people at the right time for the right action.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

Bloomberg BNA:

The frequency of cybersecurity threat information presented to the board is lacking, according to the report. How can CISOs and the board of directors balance an overload of information versus underreporting of cybersecurity threats?


IT and security executives should focus on addressing the board in a holistic manner. Obsessively reporting every cybermetric possible is not the answer.

We believe there are three major areas that IT and security executives need to communicate to their board. The company’s cybersecurity history with a focus on learning from the past, what is the current state of affairs and where IT and security executives would like to make changes to improve the organization’s overall cybersecurity risk posture.

Board members have a fiduciary responsibility to hold IT and security executives to a higher standard and should request information about the systems being used to measure and provide them with the organization’s cybersecurity risks.

They should also continually come back to the boardroom and show what they are doing at that time relative to what was discussed and approved by the board in previous meetings. It’s equally as important to share with the board how their latest cybersecurity investments have reduced the organization’s overall risk. IT and security executives should explain what they were looking to do when they last spoke with the board, where they are now and where they think they will be moving forward. This kind of tracking enables the board to see a tangible cybersecurity risk reduction being made while they were steering the ship.

IT and security executives get limited time with the board. They should use that time to share the actual risks that could impact the organization and then get the board to help address those risks, and empower them to reduce them in the process.

Bloomberg BNA:

What role does the Chief Legal Officer or General Counsel play in the divide between CISOs and the board?


The Chief Legal Officer or General Counsel should be the overseer of both parties. They play an important role in making sure IT and security executives are reporting information based on an automated, repeatable process and the board is holding them accountable for doing so. It is legal executives’ responsibility to do whatever they can to help the organization avoid litigation and that means getting involved, rolling up their sleeves and informing both parties what their responsibilities are in minimizing the organization’s cybersecurity risk.

They should share with the board what is expected of them including demanding that IT and security executives provide them with actionable information so that they can make informed decisions about the organization’s cybersecurity risk. On the other side, legal executives should make sure IT and security executives are aware that the information they are sharing with the board needs to be trustworthy and traceable. Legal executives can explain how both sides have a part in cybersecurity risk reduction and they can help bridge the gap in communication by making sure both parties understand their responsibilities.