Fortune published an article highlighting seven ways the executive board could reach out to top talent in the cyber sector. To hear about TMG’s thoughts on sourcing the best in the industry, please contact our Vice President, Deborah Page.
Corporate boards and chief information security officers have never been great at speaking the same language—but it’s more important than ever for businesses to avoid making major data security mistakes.
The SEC recently enacted a new rule requiring that companies disclose material cybersecurity incidents within four days of the event, and include details about a company’s framework for managing cybersecurity risks in their annual reports. That means boards are motivated to ensure that breaches are rare and that a company is managing its digital infrastructure with the right people, resources, and systems.
So, what should board members expect from their chief information security officers (CISOs) when they’re reporting on cyber risks? And how should board members act towards their CISOs in turn? Diligent, the governance software provider, convened a panel of experts to discuss best practices in cyber reporting during its recent Modern Governance Summit. Here are the top takeaways from that session:
—CISOs should be thinking about the specific information the board needs to know. Boards have a handful of key duties, including monitoring possible future risks to a company, ensuring that capital is allocated properly, and overseeing a company’s long-term strategy. CISOs must know how to tailor their presentation to the board’s specific needs. “It is the job of all the operating executives to figure out and synthesize what’s important, what boards need to know to be able to do their jobs effectively,” said panelist Shelley Leibowitz, a board member at Bitsight, a cybersecurity firm, and former CIO of the World Bank Group.
—Neither boards nor CISOs should assume that zero risk is the right amount of risk. In fact, a CISO who reports that a company faces no risk of a cyber attack would look suspicious, said Leibowitz. Thinking about risk that way is also plain wrong, said Walt Powell, field CISO at CDW, an information technology and services company. “If you think about an entrepreneur, you’re risking money to make money. That’s the whole point of being in business,” he said. One of the first questions boards and cyber teams need to answer together is “What is the right amount of risk for us?”
— CISOs should create measurable metrics for risk. Most companies compare their performance against their competitors and create “key performance indicators,” or KPIs. CISOs can speak the board’s language by converting cyber-related KPIs into “key risk indicators,” or KRIs, according to Powell. “You just throw some quantification against it and, boom, you’re off to the races.”
— Boards should ask CISOs for third-party assessments of a company’s digital security situation. “As a board member, I assume you’re all A-players doing your jobs, and I know that you are doing the very best job in protecting our organization against risks and threats—with confirmation bias,” said Leibowitz, speaking to hypothetical CISOs. “It’s not a criticism, it is not a value judgment,” she added. “I want an outside view.”
— CISOs need to know that sharing the general cyber threat landscape at an annual board meeting is not the best use of the board’s time. Telling boards about what’s happening in the world of cybersecurity means “you’re telling boards the wrong story,” said Powell. Boards want to know about the risks to their business. It might be that you’re not spending enough to reduce the risk of a cyber breach or you need to reduce costs for IT, he added.
— Boards should assess whether their CISO has the company’s entire software process in view. “The most significant leading indicator of great cybersecurity in organizations is how well they have all of their software production process under control,” said Phil Venables, CISO at Google Cloud. “The percentage of an organization’s software that is built and deployed in a repeatable, fast, high-assurance process is clearly important for security, but also for agility and productivity, reliability, a whole array of other things,” he added.
In his experience, very few companies are anywhere close to having a full view of their software production in one location, and some IT leaders have even questioned whether such accounting is necessary. However, Venables said that if a CFO were to say that a company’s financial records were scattered here and there across the company, “You’d think you need a new CFO.”
—Take your CISO out to dinner. While it’s not crucial to have a cyber expert on the board (most boards don’t, according to a new report by Diligent and the venture capital firm NightDragon), director education is essential, the panel said. Cyber lessons might happen in meetings, or directors might take courses, or the learning can happen informally. Indeed, Venables encourages CISOs and board members to plan one-to-one dinners, so that directors can ask basic technical questions without any risk of looking ignorant in front of their peers.
