The potential ramifications of a cybersecurity breach are so great that CEOs and their corporate directors should be as committed to improving cybersecurity as they are to controlling financial and other business risks. Yet because of the technical nature of cybersecurity risk and the non-technical backgrounds of typical corporate leaders, boards often fail to give cybersecurity the top-level attention it deserves. To protect their businesses, CEOs and directors must demand appropriate briefings from their chief information security officers (CISOs).
I addressed this topic on January 30 at a regional roundtable hosted by the National Association of Corporate Directors (NACD) and Accenture Security. This blog post contains some of the ideas I shared.
Boards should demand cybersecurity briefings that capture four key components:
Threats to the company’s most important lines of business, and how those threats are changing.
What the business is doing to protect itself from cyber attacks and how effective those tactics are.
Strategic options and initiatives across the business and what it is doing to manage the risks they pose.
Remaining risks and what the business needs to do about them.
Regarding the first component—threats to the most important business assets and how they are changing—the briefing should focus on threats that create real risks for the business. If that does not happen, the second component—what is being done and the effectiveness of it—is undermined, since the organization will fail to give adequate attention to the most significant contours of the threat landscape.
While CISOs understand cyber threats to the business, they sometimes struggle with conveying those threats effectively. Too many CISOs go to their CEOs and boards with scorecards that are overladen with data on compliance challenges or technology issues. As a result, business threats can be lost in a swamp of information or, at the very least, their significance diluted or dulled. That, in turn, can lead to a one-way communication that precludes discussion of the strategic impact of threats and the strategic decisions required.
Boards should instruct CISOs to measure and communicate security risk in non-technical business terms that directors will find relevant. For example, rather than receiving metrics on encryption, boards should demand metrics on protecting customer data. Likewise, directors should ask to be briefed on metrics around maintaining the integrity of production environments, rather than those that indicate how often software applications are “patched” (new security updates applied).
There are comments a CISO might make in a briefing that should cause concerns for board members. One example of such a red flag would be a statement along the lines of, “We can mitigate all these threats with product X.” In fact, there is no single security product that can sufficiently mitigate all risks.
Other examples of red flags include:
“We are totally secure.” This statement is a problem because it is absolute, but absolute security is not possible.
“We have the necessary technology stack to prevent X.” While prevention techniques are necessary, the enterprise should not focus on prevention alone. It should instead focus on a combination of prevention, detection and response.
Directors should demand answers to certain critical questions during a cybersecurity briefing. For example:
Where does the information security team get its threat intelligence? Is it from a variety of sources? Another way to ask this question is, "How does the security team get notified of critical vulnerabilities and threat actors, and are those notifications timely?" (Boards should expect to hear that the information sources are diverse.)
What is our worst-case scenario for cyber attacks?
What keeps the CISO up at night?
Can the business protect online customers so they continue to buy?
Can we safeguard our most important assets such as contracts, pricing sheets or merger and acquisition data?
Can we protect our intellectual property from the devastating impact its theft would have on our marketing and business plans?
Can we prevent employees stealing from the company?
The bottom line
Board members who are not well informed and who do not ask good questions cannot adequately hold security management accountable. But it’s a two-way street. Security management must frame messages for board members in terms they can understand, while educating them. Conversely, directors should spend time to learn about cybersecurity (NACD has a certification program to help with this) and ask tough questions. They must also communicate their expectations, such as by telling security management they want the “real” story on what’s going on, framed in terms they can understand, instead of a list of red/green/orange metrics.
This is the only way directors can truly manage cybersecurity risks as well as they manage other business risks.