Chief risk storyteller: How CISOs are developing yet another skill

Mastering the art of risk storytelling is essential for CISOs not just for engagement, but for driving meaningful action across the organization. The right story should emphasize cybersecurity risks with the end-goal of grabbing attention that leads to action.

“What gets talked about gets prioritized, so we want to be talking about cybersecurity,” says Bethany De Lude, CISO with the Carlyle Group.

This isn’t just any old yarn about technical controls. It’s understanding how the business works, mapping the security program to strategic objectives and developing a sophisticated story that uses risk vocabulary in the language of the audience. It’s not talking about vulnerability scoring or speed of patching.

“The days of talking about FUD (fear, uncertainty, doubt) are over, that’s a low-maturity conversation. It needs to be something more sophisticated and CISOs must grasp enterprise risk,” De Lude tells CSO. “You have to be able to frame the conversation for others, speak to their interests in their language and have the right level of detail, these are the ingredients for a good story.”

What CISOs need to consider to tell the right risk story

One of the hacks De Lude uses is to draw on topical news stories relevant to the audience in her risk conversations. It helps join the dots while demonstrating the importance of the security program and the need to avoid being in the headlines. “I frame it in terms of what they’re concerned about, so if they’re on the board, it’s brand risk or regulatory risk, and I talk about the implications and what we’re doing to reduce that risk through the security program,” she says.

Even so, there are challenges in adopting the right language. The risk terminology is limited and can restrict the discussion, according to Alexander Hughes, director of cybersecurity and compliance with Visa. To address this, he suggests quantifying risk in terms of loss or degraded assets — diminished functionality or value due to attacks — which is easier to understand within a cybersecurity story. “If you can talk about risks as costs, there’s more nuanced language such as revenue loss. So, if a service is attacked and not functioning, the asset is degraded or destroyed, and revenue is lost,” he says.

Adding to the challenge, Hughes thinks organizations are playing a guessing game when it comes to knowing the likelihood of risk. He says that humans aren’t good at calculating the chances of a risk happening and organizations aren’t very open about sharing attack data that would help these calculations. “There’s not a great governmental store of data about the types of attacks, by frequency, severity and mode of exploitation, which means that we’re kind of guessing,” he says.

This is why following a consistent risk management process helps build a clear record of past risk decisions and outcomes and this record is crucial for accurately predicting future risks, which will help in telling a more informed risk story.

UST CISO Joey Rachid agrees there’s a need to better understand and present risk in ways the organization will understand. Aligning it with business goals and communicating in the right language is critical. “We have to realize that as executives we’re there to support the business and therefore we need to communicate in terms that resonate with the business leaders,” he says.

However, he learnt early on in his career that formulating risk using something like the NIST maturity view didn’t make much sense to the board and other executives. Likewise, going into too much technical detail is a way to quickly lose the audience and the trust you hold as a CISO.

“They’re not going to learn our trade craft, so you need to quantify risk in terms that make sense to your business. If you’ve lost your audience, you’ll lose the competence that they see in your ability,” he tells CSO.

Rachid has found the story needs to speak to the concerns of senior executives, typically material risk and the impact on the business and the bottom line. He shifted his approach to identifying risk — including material and unique risks — to the business and communicating those risks in terms that anyone could understand, for example a breach can result in reputational harm to a business.

For the message to really hit home, he recommends quantifying risk according to the business, so the audience understands exactly what you’re trying to explain. “My previous organization was an automotive company, so it was easy for me to tell stories using the analogy of a car because we all understand the risks of being on the road, not buckling your seatbelt and these things,” he says.

How the story of risk builds CISO credibility

Risk is integral to being in business and in many ways it’s unavoidable. Indeed, risk can sometimes be a good thing, especially if managed well. “As risk managers, identifiers and people who treat risk, we don’t always need to look at it as a bad thing. It’s a part of life, it’s a part of business,” says Rachid.

When CISOs understand the fundamentals of business and move away from couching risk as purely technology and cybersecurity to consider the broader context, it helps build rapport and credibility. “This builds your trust and competence in the executive team and the board, and they’ll be more likely to listen to what you have to say when you’re talking about those risks,” Rachid says.

The role of metrics and data in the security-risk story

The risk narrative should also be grounded in relevant metrics without overwhelming detail. The aim is to paint a picture about a particular type of risk and that requires knowing how best to tell that story within your context.

“I selectively pull metrics into storytelling that provide data to reinforce an important theme and layer in statistics and learnings from industry reports, such as the Verizon’s Data Breach Investigation Report and IBM’s Cost of a Data Breach Report,” says De Lude.

If it relates to third-party risk management, then it might be talking about how many vendors are being managed, how it’s that trending, what’s the regulatory landscape and how important is that, according to De Lude.

She’s found there’s always a lot of interest in hearing about how the cyber program aligns with peers, but again it’s a case of not overwhelming the audience. “Folks always want to hear about how their cyber program aligns with industry benchmarks, but I don’t use dials and gages. I show the most important things for us to go after and use a gap analysis to show where we are relative to our peers and what I think we should do next,” she says.

Even so, there’s still a little scope for a touch of showmanship to keep the audience interested and to break risk down into everyday metrics. “If it’s a town hall with the finance department, come prepared so you can say ‘hey, finance professionals, did you realize you’re one of the top three departments that gets targeted and here’s why you’re a target’,” she says.

Whether it’s a formal board meeting, committee meeting, town hall or just a hallway chat, the goal is to avoid making people feel silly because they don’t know the specialist vocabulary. Her approach is to break risk down into consumable parts using simple vocabularies. “I’ve learnt time and again that gaps reveal themselves when jargon is removed. So, I make sure I can answer three key questions: Will the story resonate? Is it consumable? Have I addressed the listener’s concerns?”

Defending the story and honing the storytelling skills

Creating a compelling narrative is also important to bolster the case for investment in the cybersecurity program, when it comes to restructuring or starting a new program it becomes very important.

Hughes estimates the base set of requirements in the Center for Internet Security Controls Framework is a $2 to $3 million expense. “That’s a massive expense, so that storytelling and dialogue between you and the rest of the company to create that new, forward expense is significant,” he says.

However, just as some stories have their skeptics, CISOs also need to be able to defend their risk story, particularly when there’s big dollars attached to it. De Lude has found it can be helpful to stress test the story or presentation with challenge sessions. “I might invite different people to a run through and explain the concept and ask for potential objections to test and develop a robust narrative,” she says.

De Lude has found that drawing on internal expertise of people with strong communications skills can help learn how to project a story in a way that’s compelling. “Having someone lend support who wasn’t a cyber expert but knew how to really convey a strong message in all sorts of different ways was a gamer change,” she says.

Her advice to other CISOs is to consider buddying up with marketing, communications or salespeople who might help with selling the story of the security program. “They’re not technology communicators, they’re business communicators, and that’s what a CISO needs to be — a business partner who happens to be a cyber expert,” she says.