Why Are CISOs Struggling with Governance, Risk, and Compliance Reporting?

Sravish Sridhar

19 Oct 2023

This article was originally published in Cybersecurity Insiders.

In our increasingly digitally connected world, cybersecurity risks are at an all time high and only growing. With this in mind, businesses are beginning to embrace and understand, if they didn’t before, just how essential a healthy governance, risk, and compliance (GRC) program is to their organization’s overall success.

Too Many Stakeholders Need Governance, Risk, and Compliance Reports

CISOs and their teams are now inundated with numerous requests to prove their security and privacy posture. Each stakeholder requires the data to be reported in different ways:

  • Customers & Partners: They want assurance that their data is protected. Often, they use compliance frameworks like SOC 2, ISO 27001, NIST, HIPAA and GDPR as proof of information security. In many cases, adherence to one of (or many of) these frameworks is a necessary qualification before an organization can consider becoming a customer or partner.
  • Boards & Company Leadership: Given the size of GRC investments, and the potential liability to boards and leaders, GRC is a business level priority that requires buy-in and support from the board and C-Suite. Not only do they want to know how these resources are impacting business, they also have a strong interest in mitigating company and personal liability that comes with a security breach.
  • Internal CISOs and InfoSec Team Reporting: These are the programs they lead, therefore security professionals are heavily invested in the strategy and results of risk management and compliance.
  • Regulators: They are in charge of coming up with the specific compliance and risk management measures all organizations should be adhering to, in order to adequately protect themselves and their customers from the growing and changing modern threat landscape.
  • Auditors: External auditors are looking for specific compliance and risk artifacts; the easier it is for them to find exactly what they need, the more likely a company is to pass an audit in a reasonable timeframe.
  • CFO: CFOs need justification for the budget they are giving to CISOs. So they want to see results. And not just any results, but results that positively impact or accelerate revenue.

The Impact of the SEC’s New Cybersecurity Regulations

The SEC recently published new rules for public companies specific to cybersecurity and compliance. With the new ruling, public companies will need to:

  • Disclose material cybersecurity incidents within four business days
  • Describe processes for “assessing, identifying, and managing material risks from cybersecurity threats”
  • Report and disclose material information regarding cybersecurity risk management, strategy, and governance on an annual basis
  • Describe the board of directors’ oversight of risks from cyber threats and management’s role and expertise in assessing risks and threats

While for now, this ruling only requires publicly traded companies to take these steps, these policies set new foundational standards for GRC and transparency when it comes to the way we do business. Not only will organizations be required to disclose cybersecurity incidents in a timely manner, but they will also have to share information on overall GRC and cybersecurity policies every year. Moreover, the SEC is specifically holding the board of directors and management responsible for GRC and management of cyber risk. Circling back to our question from earlier, “who cares about risk management & compliance?,” well the SEC is now making sure that an organization’s board of directors and management care, if they didn’t before.

Connecting Risk to Business Impact

While there are countless examples of what can happen to an organization when a cyber risk is exploited (think loss of data, customers, trust, tarnished brand reputation), CISOs are still struggling to connect risk to business impact and justify their security budgets.

An organization’s CFO and board will often evaluate projects based on impact, which means CISOs need data and evidence to connect how they protect against risk to how it impacts the business’s bottom line. While risk is a broad term, a more tangible definition is contractual risk – the commitments made to customers and partners, and the size of the contracts at stake if those commitments are not met. A concrete definition that reports in ARR (or another key revenue-related KPI) makes it easier for CISOs to communicate the size of relevant risks, which in turn help justify budget requests and program spend.

New call-to-action

How Should CISOs Solve Their Reporting Requirements?

CISOs should be able to share a few key metrics that management, the board, and the CFO need to know in order to better understand the value and benefits being delivered from the security and GRC program. Metrics to share with key stakeholders include:

  • Potential Financial Impact: An estimate of how much this risk could cost factoring in direct financial loss, ransomware payments, legal costs, PR, lost business, lost competitive advantage, customer churn, or changes to insurance premiums.
  • Residual Financial Impact: How much of my potential financial impact still exists now that I have taken some action to reduce my risks? What’s the impact after I have created and implemented a treatment plan? How much liability am I still carrying?
  • Top Five Risks: CISOs and leadership teams should focus on the top five risks that have the greatest residual financial impact or represent key security threats along with how much progress is outstanding.
  • Revenue Accelerated by Security Programs: The ARR associated with contracts that required a security review. While not a direct measure of risk, it is helpful context to show how the security program impacts growth overall.

When a CISO is able to identify and share metrics like these, they can articulate the value and impact of their security and GRC program in terms that the C-Suite and board can understand, and better connect risk to business impact. When everyone is speaking the same language on compliance and risk, the result is an organization that is better aligned to prioritize, build, and maintain a healthy GRC and security program and showcase the results of that program and its benefits to customers and stakeholders.