Create a relationship of trust with the executive committee: step 2, solidify the organisation’s posture and explain the lines of action
Creating a relationship of trust with the executive committee is a long-term action. After a first step that often involves raising awareness and putting the cyber risk into perspective for the organization (see BILLET 1), it is now a case of getting to the heart of the matter and starting the path of transformation!
TO TRANSFORM, YOU HAVE TO KNOW FROM WHERE YOU ARE STARTING….
Before any transformation, it is important to define the starting point and share the findings with the executive committee. The use of international standards obviously forms the basis for evaluation, ISO 27001/2 and NIST CSF are the two international references: one rather European, the other more anglo-american.
But what will matter most to executives is a benchmark based on the posture of their competitors and the market in which they are located. As such, we have developed a specific tooling at Wavestone and built a comparison base that currently includes more than 50 large organizations, mostly international and based in Europe. The quality of this base is essential to convince the leaders, who during the debriefings will ask, precisely and often with a lot of hindsight, what is done elsewhere.
The first key element of an evaluation is to ask the right questions and get useful answers! In a large organization, it is complex to carry out a detailed assessment of the level of compliance with security rules. The use of a simple notation, on a classic scale of maturity – from 1 to 4 for example – quickly reaches its limit. What we have chosen to do, and which has proven its worth on the ground, is to answer questions by expressing a percentage of the perimeter covered. For example, it is possible to have 80% of workstations with a simple anti-virus and 20% with a modern tooling type EDR. The same approach is replicable on more organizational issues, 50% of users aware by sending emails, 30% by tracking a webinar and 20% by face-to-face sessions.
In the collective unconscious, this phase of questioning often seems long and very energy intensive. If you want a high level of detail, evidence gathering or technical checks: this can be useful when the organization already has a high level of maturity. But at the beginning, a simpler and more effective approach, typically over a short period of one month with a load of twenty days, may be enough to provide a concrete picture of the situation and enough concrete arguments to get decisions and initiate change.
During the preparation phase, it will also be important to identify the expectations of the executive committee beforehand. Discussing with the most concerned members about their expectations, getting their opinions on the right way to approach the subject and the priorities of the organization will be essential to ensure the relevance of the questioning and restitution phases. There is nothing worse than making an off topic on the day of restitution!
… AND SHARE THE REALITY OF THE SITUATION
After the collection phase, the time will come for the analysis of the results. Our feedback shows that combining multiple views makes the most sense and is effective in gaining commitment. The classic rosettes of ISO or NIST compliance are obviously essential but often prove ineffective: too many axes, too many mixed elements that ultimately always give average notes.
As mentioned in the previous post, two indicators will be successful at the beginning of the exchange: the budget dedicated to cybersecurity and the number of people mobilized on cybersecurity. The budget indicator is always tricky to handle (high annual variation and non-homogeneous accounting method), we often prefer to use that of more stable and reliable staff). Secondly, in our opinion, it is effective to run the analysis on three axes:
- The 1st is the resistance of the organization to the last known attacks. Clearly the most effective element in debriefing with the executive committee, it also helps to attract attention at the beginning of the restitution. To achieve this view, we use CERT-W operational feedback to find out about the latest methods of cybercriminal attacks and we conduct an analysis of the associated measures.
- The 2nd is a market posture, crossing the level of compliance with international benchmarks (type: “I aim for 75% ISO compliance”) with the gap to the market average for the organization concerned (“on the safety of the workstation, I am 3 points below the market. On physical security, I’m 2 points above”). Crossing these two axes helps to identify priority areas (those where you are below international standards but also above the market) and those where you should not be aggressive (the whole market is below international benchmarks, but you are above the market average).
- The 3rd is an “actors” oriented view of the transformation, organized by the large entities that will be in charge of the transformation (for example: within the CIO the network, the workstations, the servers, within the risk directorate …). This view is very useful to conclude the exchange because it creates action and shows who will have to invest the most.
Of course, these different views can be segmented by country or large organizational units to reflect possible disparities or expectations of management.
In this phase of restitution, our feedback shows that executive committees are increasingly sensitive to cybersecurity issues and will ask very specific and concrete questions. Therefore, evidence and factual evidence about the organization must be well-informed. Having the results of recent audits, concrete figures on the length of time it takes to successfully break in, and even videos of an attack demonstration can facilitate an executive committee to become aware of the risk.
STARTING NOW STEP 3: TRANSFORMING THE ORGANIZATION
Describing the situation, the difficulties and the axes of progress should not be an end. The first arguments must be prepared on the conduct of change. Who should carry the transformation? What financial volumes should be expected? What schedule to consider? What reporting should be done? And above all what sponsor in the executive committee should follow this topic! Without being a formal part of the meeting, incorporating these elements into the end of the exchange allows us to prepare the next step and collect the first opinions.
These issues are obviously very dependent on the organization, but we are seeing trends emerging. Today, it is mainly the CISO within the CIO that carries the transformation often supported by an experienced programme director familiar with the structure. Regarding budgets, for major remediation programmes, the sums in the financial sector range between 200 and 800 million euros, in the industrial sector between 50 and 100 million. These sums are usually committed on 2- or 3-year programs and are followed by the quarterly executive committee at the launch and then a semi-annual pace can be sustained from then onwards.
To conclude the session, the most important thing is to define the next steps! Even if all these savings do not immediately lead to the launch of an investment programme, the risk review should take these results into account or propose the realization of a benchmark again the following year.