Why the industry needs GAAP-style accounting standards for cyber

COMMENTARY: As chief executive officers (CEOs) and boards ask their chief information security officers (CISOs) to help them navigate regulatory and cyber risks with an eye toward business resilience and profitability, the cybersecurity world view in the C-suite has shifted dramatically.

The CISO evolution from a technical focus to a business focus has been under way for some time – and in the coming years a much more diverse group of candidates will fill this top cyber role.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

These future CISOs must have risk management DNA running through their blood. They will need to keep cyber risk visible – and always do that in the context of broader enterprise risk. They'll operate with the understanding that cyber represents just another vector by which risk manifest itself—just like any other financial or logistical or competitive risk that managed to maximize profitability and business health.

The real trick to getting to that enlightened state is in how well CISOs can measure and communicate risk status to the board. Today, it’s still not so easy to answer this simple question from the board: How much risk do we incur if we choose not to put maximum security controls around this new software/line of business asset?”

Now, there are two important ingredients to consistently offering a relevant answer to that recurring question. First, the CISO has to have the business acumen and capability to understand that it’s a financial question and not a technical one. Boards want to know how much money is at risk, not how many critical vulnerabilities are left open or how many attacks need repelling. That's why the role needs to evolve.

Along with a knowledge of risk management CISOs will also need reliable visibility in to the right measurables. CISOs will need a consistent means of continuous controls monitoring that gives them a ground truth-based view of their cyber posture that they can then translate into financial calculations. Ideally, those monitoring sources do some of that translation and into enterprise risk platforms to ease that tight tie into business risk.

Unfortunately, the state of monitoring and of cyber risk visibility is still pretty immature. True, just about any cyber risk platform or tool has a dashboard that claims to offer some kind of simplistic red, yellow, green risk meter to the board. But the value of these dashboards only goes skin deep.

The fundamental question to ask: what data was used to support the stance displayed on the dashboard? Dig into the data sources of these tools and we’ll find that they're not based on any kind of telemetry observing what controls are actually running or what behavior actually manifest itself across tech infrastructure. Instead, they're just based on Excel spreadsheets filled with data from self-attestation. This data isn't a ground truth—it's just a mirage. It’s never timely, and it's easily gamed.

Why we need a GAAP-like standard for security

If CISOs are really going to elevate their position in the C-suite and truly drive meaningful discussion about cyber risk, they're going to need to have the same rock-solid level of reporting that their brethren in the finance department bring to their board discussions. Financial reporting data has become extremely structured and repeatable across all enterprises because it’s guided by the standards set out through generally accepted accounting principles (GAAP), which are governed by the Financial Accounting Standards Board (FASB). Everybody measures the same things, in the same way. Doing this makes it hard to cook the books and easy to ensure that the yardstick reads the same way no matter the business.

I believe that we're going to need to get to a place where we have GAAP-style accounting for security monitoring. This may seem like a tough ask to make of the industry—standards battles are always long and never pretty. But we're getting to a point where regulators, insurance companies, and veteran risk executives will scramble to find a way to make it happen because there’s such a dire need.  

If we can get to a consensus of generally acceptable security monitoring practices, setting out a standard reporting structure it becomes easier for auditors to check best practices, for insurers to get real-time snapshots into exposure levels, and for CISOs to easily translate exposures into financial risk quantification that makes sense to the board. This kind of ground-truth reporting is crucial for next-generation security executives to have the right conversations with the board about how to prioritize where resources should go first, what it's going to cost, and the next steps organizations need to take.

According to IANS, a lot of CISOs today are executives in name only. The professional organization found that only 20% of them are actually at the C-level. For most, their title has chief in them but they're actually operating at a VP or director level. The only way that this level of influence will change is if cyber finally grows up. That won't happen until we see an evolution of the leadership role CISOs play every day and the tools made available to them as they advise the board on business-relevant risk.

Bob Ackerman, founder and managing director, AllegisCyber Capital

Editor’s Note: This is the third and final of three Monday morning columns on the changing role of the CISO.

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.