• United States




Having a boardroom conversation about cybersecurity and material risk

Mar 12, 20185 mins
CybercrimeData and Information SecurityIT Leadership

Those who embrace a material risk approach to addressing cyber threats will command the attention of senior leaders and steadily drive improvements into their organization’s security posture.

business people conference room collaboration boardroom
Credit: Thinkstock

I know a lot of persuasive folks in the cybersecurity community who can easily conjure up a dozen different cyberattack scenarios detailed enough to scare the socks off any board member. Many of us have been hearing about these hypothetical disasters for a decade or longer.

Senior leaders are nervous – and spending copiously. Yet, even as the defense of enterprise data has grown into a steadily expanding $93 billion a year global industry, cyberthreats, by and large, remain an abstract, catch-all notion in many board rooms.

Encouragingly, that’s beginning to change. A confluence of developments makes this so. Mainly, the disclosures of actual nightmare breaches, which climbed to new heights in 2016 and 2017, show no signs of slowing. This pattern has prompted newly minted state regulations in New York and Colorado, mandating improved data protection practices – a harbinger of more such regulations to come. Meanwhile in Europe, come May, the EU will implement its revised General Data Protection Regulation. GDPR carries stiffer data privacy rules that generally elevate consumers’ rights, and levies steep penalties against corporate violators.

The table is set for CSOs and CISOs to enter the board room and redirect the conversation about cyber risks away from the worst possible scenario, and toward the risks that are most likely to result in material impact to the business. For example, if a hacktivist somehow managed to deface an organization’s public-facing website, that would be embarrassing, but not material. But if hackers could steal product or growth plans, then use that information to build a competitive product or influence market decisions, that would harm the organization, that would be material. We do this kind of analysis to concentrate on the risks to the business that are most likely.

I’m privileged to be in the vanguard of security executives who have taken up this battle cry. Namely, to ask fundamental questions with respect to any specific cyberthreat: Is it material to the business? Because if it isn’t, why are we even talking about it? If it is material, then what are the odds that it will happen; and, more specifically, could it happen here in the next three years?

Material risk defined

In every organization I’ve ever been in, there has always been a risk-mitigation heatmap listing the 10 or 15 things senior executives worry about most. It might be the sudden resignation of the CEO or a force majeure, such as a major earthquake knocking out a pivotal data center. Amorphous “cyber” is usually listed near the end of that heatmap, seemingly too complex and abstract to call out a specific risk related to cyber but scary enough to not leave it off the list. To be clear, “cyber” is not a risk. It is a vector. Good things happen to an organization because of cyber, and bad things happen because of cyber. In order for it to be included on the heatmap, the risk should be very specific and presented in terms that the organization’s officials can understand. C-level executives and board members make decisions about risk all the time. Cyber is no different. Until now, the CISOs of the world just have not been that good at translating technical risk into business risk.

The good news is that this situation is starting to change. Both the rationale and the tools are starting to emerge for security executives to begin presenting cyber risks to board members with more precision. Instead of saying things like, “The chances of something bad happening because of ‘cyber’ are high,” we should be saying things like, “Given our security posture, we’re 90 percent certain that there is a 20 percent to 40 percent probability that the company could be materially impacted by the compromise of a customer database – in the next three years.” With that kind of ballpark, executives can now determine if that risk is acceptable to the business. If it is, then nothing needs to be done. If it isn’t, then the CISO can offer mitigating solutions that will lower the probability.

An approach like this compels security executives to put pencil to paper, and it gives senior leaders viable context from which to make informed risk-mitigation decisions.

Additional benefits

As an additional benefit, a healthy consensus gets developed about risk tolerance, which invariably reflects a company’s vertical sector and corporate culture. One might imagine that cyber risk tolerance is much different for Walmart than it is for the Internal Revenue Service, for instance.

CISOs, the newer faces on executive row, have a big role to play in accelerating and teasing out this shift, which is just getting underway; they must continue to push it forward. In many organizations, the CISO post still doesn’t exist; or if it does, the role tends to be tech-focused, reporting to a CIO, who may still hold an abstract view of cyber risk.

Given the continued ferocity of attacks on business networks, it’s clear that CISOs are destined to continue rising in stature and influence, and I firmly believe those who embrace a material risk approach to addressing cyberthreats will command the attention of senior leaders and steadily drive material improvements, if you will, into their organization’s security posture.

Further reading

We have just scratched the surface here. If you’re ready to learn more, I’d urge you to read How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen, and Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones. We’ve also created a hall of fame of sorts for cybersecurity books we like to call the Cybersecurity Canon.


As a 23-year military veteran, Rick Howard has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors. During his previous military career he learned the technical skill sets necessary to succeed in the IT/sec world and in his current role as the chief security officer (CSO) of Palo Alto Networks he continues to learn and contribute to the business aspects of this evolving industry.

Prior to joining Palo Alto Networks, Rick was the Chief Information Security Officer (CISO) for TASC and led the development of TASC’s strategic vision, security architecture and technical roadmaps for information security. As the GM of a commercial cybersecurity intelligence service at Verisign (iDefense), he led a multinational network of security experts who delivered cyber security intelligence products to Fortune 500 companies. He also led the intelligence-gathering activities at Counterpane Internet Security and ran Counterpane's global network of Security Operations Centers.

A veteran, Rick served in the US Army for 23 years in various command and staff positions involving information technology and computer security and spent the last two years of his career as the US Army's Computer Emergency Response Team Chief (ACERT). He coordinated network defense, network intelligence and network attack operations for the Army's global network and retired as a lieutenant colonel in 2004.

Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the U.S. Military Academy. He also taught computer science at the Academy from 1990 to 1995.

He has published many academic papers on technology and security and has contributed as an executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials.” In the spring of 2013, Rick Howard spearheaded the creation of a "Rock and Roll Hall of Fame" for cybersecurity books called The Cybersecurity Canon. The Cybersecurity Canon's goal is to identify a list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional's education.

The opinions expressed in this blog are those of Rick Howard and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.