How to write a cyber threat report executives can actually use
- 18 May, 2021 14:00
The CEO’s email landed in Maurice Stebila’s inbox around midnight, the message asking whether Stebila, the company’s CISO at the time, had heard about the latest news-making cyber event.
“He had no idea we were already looking at this event,” Stebila says.
Stebila already had regular conversations with the CEO and other executives, but that late-night email cemented his plans to develop a weekly report updating the C-suite about cyber threats.
“I wanted to make sure that they knew we were on top of all these threats, so I decided to be proactive and share information with them [more frequently] instead of making them come to me,” says Stebila, now chairman of CxO InSyte, an organisation he founded to provide programming to the CISO community.
Back at his former company, Stebila used the new report to provide a high-level look at the prior seven days in cyber security, including the threats and vulnerabilities that could impact the organisation as well as any that grabbed headlines that week. He says he viewed the reports as part of his larger cyber security awareness program.
There’s good reason for Stebila and other CISOs to up their report writing skills.
Security chiefs have seen their C-suite colleagues, board members, and other enterprise leaders become more interested in security issues over the past decade as cyber threats emerged as significant risks to organisations. PwC, for instance, found in its 2021 Global CEO Survey that 71 per cent of CEOs are “extremely concerned” about cyber threats (up from 61 per cent in 2016.)
But interest and concern don’t automatically equate to comprehending the complexities of a solid cyber security operation. Cyber threat reports can help bridge that gap.
Well-crafted and well-timed reports help executives grasp what’s happening in the world of cyber security and how that impacts their own organisations so they can make better informed decisions.
Consider your audience
Cyber threat reports aren't required by any regulations or formalised by longstanding corporate practices as are other executive reports such as the CFO’s quarterly financial statements. So, CISOs can control when to deliver a cyber threat report, who receives it, and what each one should include, according to veteran security leaders.
Still, they shouldn’t treat these reports as freeform communications.
Security experts advise CISOs to develop and deliver these reports in a way that provides the most value to their own organisations and to tailor their reports to the recipients’ levels of security awareness.
“The report you write to the CIO is different than the one to the CEO or a board, because you’re dealing with two different levels of knowledge,” says Bruce deGrazia, program chair for cyber security management and policy at the University of Maryland Global Campus.
“These [reports] give CISOs an opportunity to provide information and to influence people, so CISOs should remember that they have to make the information relevant to the audience; they’ve got to engage them, because every engagement is a way to influence others in a positive way,” adds Tim Rawlins, director and senior advisor of NCC Group, a cyber security and risk mitigation company.
In determining who should receive the report, CISOs should consider their organisation’s reporting structure and culture.
Some CISOs submit these their reports to their boss only, whether it’s the CIO or the CEO or another executive, as their organisations encourage a strict chain of command. “In those cases the threat report would be part of the CIO report and not necessarily something called out individually,” deGrazia notes.
Others distribute their reports more broadly, sending them to the entire C-suite as well as their security teams, and they may also include board members on the distribution list, particularly if they work at organisations where the boards have subcommittees focusing on cyber security and/or have security-related regulatory requirements.
Or they may share their threat reports with board members but only in certain circumstances. “If it’s a high-level threat report, a good proactive CISO will distribute it widely,” says Jon Oltsik, an ESG senior principal analyst, an ESG fellow, and the founder of the firm’s cyber security service.
Form, function, and timing
Although there’s no single template for crafting a threat report, “it should look like whatever you think people will read," says deGrazia. "Senior managers get hit with lots and lots of paper, so whatever format it’s in, it has to get their attention.”
CISOs also need to consider how often they want to generate these reports. Security leaders say the reports should come out on a regular schedule, whether they’re passed out weekly as Stebila did, monthly, or quarterly.
The best schedule is one that matches the organisation’s own cultural tempo, Rawlins says, adding that CISOs could also create and distribute customised reports to different recipients on different schedules based on the varying levels of threats and interest levels each party has. CISOs could, for example, share reports weekly with their CIOs but distribute them to the board only semi-annually.
That regular schedule should not preclude sending out threat reports in response to urgent issues, security experts say. “You can’t ignore the fact that things come up, and come up quickly, and those things need to be communicated up the chain as quickly as possible,” deGrazia adds.
Timothy R. Campo, who as director of Applications & Security at (ISC)2 is the senior-most security person in the organisation, has aligned his threat reports to the best practices outlined in the NIST 800-53 framework. He provides a report to the board quarterly and sends monthly summaries to the CEO, CFO, his security team, IT workers and a handful of others within the organisation.
Campo also issues cyber threat reports as urgent issues arise. For example, he distributed a report following news of the SolarWinds hack explaining the lack of risk to (ISC)2. “We had zero threat, but I had to lay it out in a way that was clear,” he says, noting that his report also outlined some proactive steps he decided to take as a result of the SolarWinds breach.
His approach for all reports is straightforward and direct, noting that he uses a template so that recipients know with each report what information to expect and in what format.
“I provide just enough information,” he explains. “Due to my Navy background, I’m used to terse but actionable reports.”
What to include
Although cyber threat reports should communicate the threats, vulnerabilities, risks and mitigation initiatives, security leaders caution against going into too much detail.
“If you list every cyber security threat out there, it would be voluminous and useless. You have to come up with something tailored to the vulnerabilities of the organisation,” deGrazia says.
Threat reports should include information about threats that could exploit vulnerabilities within the organisation, how the security team is mitigating vulnerabilities, how its defending against threats and any additional actions that will be taken.
Furthermore, these reports should list any news-making events or significant incidents that impacted others, even if they’re not relevant to the CISO’s own organisation; that fact alone is worth reporting along with a brief explanation on why the CISO’s organisation isn’t at risk.
The reports should also highlight any trends or issues emerging on the horizon, to help avoid surprises down the road.
“Executives and the board really care about the things that impact them. That’s the art of writing these reports: The CISO has to know enough to say there are attacks going on but they’re not impacting us but there are other things that could hurt us,” Oltsik explains.
“So if I were writing a cyber threat report, it would be very concise, include what the incident is, who has been affected, what we know about it, whether we’re vulnerable—yes/no—and if yes, what do we need to do to mitigate that risk. And all of that would be [communicated] in business terms.”