Data breaches, ransomware attacks and concerns over risks tied to the global pandemic have heightened interest in cybersecurity among corporate boards of directors. Security leaders say BoDs have become more engaged in security matters, have a keener understanding of cyber issues, and have begun asking more sophisticated question about risk exposure and ways to manage it.
Though many continue to view security as a cost of doing business, an increasing number of board members perceive it as fundamental to the business. With many companies accelerating digital transformation initiatives in the wake of the pandemic, boards want to understand how security can enable those efforts and support business requirements in an environment where the workforce has become a lot more distributed.
“Boards have become a lot more savvy about technology and understanding security,” says Timothy Youngblood, CISO at McDonald’s Corp. “They are somewhat driven by the SEC and their expectation that boards have some level of technical expertise,” he says. They have also been helped with a lot of guidance on cybersecurity from the National Association of Corporate Directors and others.
Consequently, the questions that boards are now asking security leaders have changed as well. Here, according to Youngblood and others, are six top-of-mind issues among BoDs these days.
1. Cyber accountability
CISOs need to be more prepared to answer questions around cyber accountability from the board, says Mathieu Gorge, CEO of risk management firm VigiTrust and author of the new book The Cyber-Elephant in the Boardroom. Cyber accountability refers to the ability of an organization to demonstrate that they have good cyber hygiene, and that if something goes wrong, they can trace everything back to a unique event, unique person or unique group, Gorge says.
CISOs need to be prepared to explain what cyber accountability is, why the organization should care, how to embark on a cyber accountability journey, and what it comprises. “Is it just proving that we can address a cyberattack and that we have a plan, or does it go beyond that? Who does it need to involve, how much does it cost and do we even need it?” Gorge says.
In articulating a response, security leaders need to keep in mind that what the boardroom really wants to hear is about accountability for the overall ecosystem of the business. That means in addition to their own organization, security leaders need to be able describe how they might be holding franchisees, subsidiaries, business partners, suppliers and other third parties accountable for practicing security best practices.
That ecosystem could be international or be regulated by complex and often conflicting regulations and standards, all of which require some level of accountability. CISOs need to be prepared to answer what they might be doing, or plan on doing, to demonstrate that accountability. “Do you demonstrate it by being able to map the ecosystem, do you demonstrate it using controls that show you what is going on, do you show you have classified access to data by various stakeholders within the organization?”
2. Security status during COVID-19 and beyond
The shift to remote work prompted by the global pandemic bought more focus to questions that boards were already asking around cybersecurity, says James Edgar, CISO at business payment services company Fleetcor.
A lot of the immediate focus was on how the shift to remote work would impact the way the business would operate from an IT standpoint and from an overall business standpoint. The questions had to do with whether the organization was capable of transitioning a majority of the workforce to a remote model and still support the business.
Edgar says the questions he received from the board included those related to business continuity, and the potential impact to major IT projects that were already underway when the pandemic hit. “Can we deliver on the big things that we know are critical? Are we able to maintain current levels of security and compliance? What are our benchmarks and are we going to be meeting those when we come out of COVID-19?”
As things have stabilized the focus has shifted to the ability for the organization to maintain its security posture in a post COVID-19 world and what it is going to take by way of investments to achieve that. Edgar says one strategy that has worked for him is to provide the board with quarterly updates on the threat landscape and broad trends in the security space. “We provide them with them regular updates on what we are seeing and what we are doing with ransomware, endpoint protection, network monitoring. We address what is happening in the world and what’s happening at Fleetcor,” he says.
3. Security strategy
Boards are thinking a lot more strategically about cybersecurity compared to a few years ago, says Youngblood. Many directors view cybersecurity as part of their fiduciary responsibilities and duties of due care and loyalty.
“The questions that you get today is how are you doing with what’s not under your control—as with third parties,” Youngblood says. With so much being outsourced these days, directors want to hear how enterprise cybersecurity investments are being protected. They want to understand what the organization is getting out of it and if there is anything that affects business objectives.
Youngblood says board directors like hearing about the organization’s readiness to respond to cyber incidents and whether controls are in place for detecting threats before they become a major issue. They want to know if cybersecurity is tied into the digital transformation chain in such a way that security is built into every step rather than bolted on at the end. Significantly, boards increasingly want to know about any investments the organization may not have made that could have a negative impact on cyber risk, he says.
Answering such questions can be tricky, which is why it is a good idea to have a role for the CIO, CPO, and other stakeholders at a board meeting. When speaking with the board on strategic security topics, make sure there are no surprises for the CIO in your presentation, he says. Understand your board’s risk appetite and make sure to frame cyber risk in the broader context of enterprise risk management.
“My recommended approach around this starts with being able to talk in terms of the business and business outcomes,” Youngblood says. “What I don’t do is go into a conversation talking about things in a more tactical manner.”
4. Benchmarking against industry best practices
There’s a high level of interest within boards of how well—or not—their organization’s security posture stacks up against peers, says Brandon Hoffman, CISO at cloud services provider Netenrich. One driver could be the fact that in breach situations, a company’s security measures are often compared against industry best practices or with practices employed by peers.
“There is a strong interest at the highest levels to understand risk relative to the industry,” Hoffman says. Often such comparisons by themselves do little to foster a safer, less risky environment. Even so, many boards want it because there are few methods to effectively measure security in a business context.
“One of the biggest mistakes CISOs make is not contextualizing security related risk to business risk,” Hoffman says. “Instead, the reporting revolves around compliance frameworks and technical measurements,” that at best are indicators of day-to-day action. “Unfortunately, this really does not help the executives or board of directors understand impact to the business.”
5. Resilience to cyberattacks
While boards are increasingly interested in cybersecurity at a strategic, enterprise risk management level, they remain deeply engaged in matters related to the organization’s ability to defend against and respond to cyberattacks. They want to know how you are using people, processes, and technology to reduce risk as much as possible while maintaining an appropriate balance between productivity and security, says Joseph Carson, advisory CISO and chief security scientist at Thycotic.
Questions that boards are likely to ask, and which CISOs need to be prepared to explain, include the exposure of key business services to threats like ransomware and the steps taken to reduce the risk the impact to a business service from a ransomware or other attack. “Which threat is the mostly likely to impact the business and what is the financial exposure and options to reduce the risk,” he says. “What is our cyber risk gap, such as the cost to reduce the risk versus the cost of doing nothing?”
Be prepared for questions on incident response plans and whether you have tested exposure for each of the highest likely potential threats to the business. “What are we doing to segment each part of the business and control access?” Carson says. “Which regulations and compliance requirements are we above and beyond, meeting, or failing to meet, and how do they align with the business cyber risks?”
6. Continuous compliance
Be prepared to talk about continuous compliance and continuous security, Gorge says. Board members have a tendency to ask how much time an investment in cybersecurity will buy the company. “The question is, ‘okay we are going to do this once and we are going to be good for a few years, right? Or do I need to do this on an ongoing basis?’” he says.
This is where CISOs and other security leaders need to introduce the idea about security and compliance being a journey and not a destination, Gorge says. They need to show that as the business evolves, so do security needs. It’s important that security leaders emphasize the need for continuing investments in cybersecurity in terms of money, time, and effort. Explain how over the course of three to five years such investments are going to result in reduced costs, improved security, improved customer confidence and other tangible benefits.
With both cyber accountability and continuous compliance, the biggest challenge for CISOs is showing how cybersecurity can be a business enabler and not merely a cost, Gorge says. “Rather than say, ‘if we don’t do it, there might be a security incident,’ show how you can use your existing models to put cybersecurity on the balance sheet in a way that actually adds value.”
Copyright © 2020 IDG Communications, Inc.