“Security and risk management must become part of every business decision, and nobody within the enterprise is better positioned to advocate for those issues than the CISO.” — Fast Company
The relationship between the chief information security officer (CISO) and the board of directors is a topic that has received increased visibility in the past few years. The 2017 edition of the “Director’s Handbook on Cyber-Risk Oversight,” published by the National Association of Corporate Directors (NACD), is full of insights on the CISO-board relationship and provides updated recommendations for board directors to follow regarding oversight of cyber risks.
Five Ways to Encourage CISO-Board Engagement
Among the new elements are several appendices that offer valuable advice in areas of critical importance, including:
- Cybersecurity Considerations During M&A Phases (Appendix B);
- Board-Level Cybersecurity Metrics (Appendix E); and
- Building a Relationship With the CISO (Appendix I).
We will focus on the last point, the CISO-board relationship. Appendix I of the NACD handbook provides fresh questions for boards to consider with respect to their CISOs. Below are five ways boards can build and enhance their relationships with CISOs.
1. Seek to Understand the Mandate and Role of the CISO
The positioning of the CISO greatly impacts the his or her ability to achieve the visibility and influence required to appropriately manage cybersecurity and cyber risks. From an organizational perspective, it is key for the CISO to have the ear and the attention of senior management and the board, have engaged conversations around cyber risks and ensure that these are integrated into the enterprise risk management (ERM) program.
Boards should pay special attention to where the CISO is positioned on the organizational chart, who controls the CISO’s budget, and the extent to which security projects might have to be cut due to budget or, in light of the current skills gap, staffing issues.
In addition, boards should review the frequency and quality of interactions between the CISO and other C-level executives. A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives From the Boardroom and C-Suite,” brought to light the disconnect between CISOs and chief information officers (CIOs) and the rest of the C-suite when it comes to security.
To ensure that top management is appropriately engaged in cybersecurity, the report drew the following recommendations:
- Establish a security governance model and program to encourage enterprisewide collaboration.
- Craft foundational materials for executive-level education.
- Include the C-suite in developing an incident response plan and share it with the board for input.
- Enforce security standards across both IT infrastructure and business processes.
2. Get to Know the Security Team Before an Incident
Boards are urged not to wait until a security incident has occurred to start familiarizing themselves with the security team. This is especially important because few CISOs — just 18 percent, according to the Deloitte Review — come from a management background or have as much experience as the rest of the board and C-suite.
Since much of the CISO’s role is to build and manage the trust that the organization’s leadership and customers rightfully expect, boards should engage early and often with the CISO’s team to establish and reinforce this sense of trust. Such interactions will also provide the CISO with the opportunity to determine the level of background knowledge board directors have about cybersecurity. For some, interactions may need to start at a basic level, such as with tablets and smartphones, and cover the risks inherent in all technologies.
3. Review the CISO’s Network of Influence
The IBM IBV study revealed that it is critical for CISOs to have appropriate, quality interactions with the rest of the C-suite. When it comes to internal visibility and influence, they cannot afford to be siloed in an IT-centric role. The CISO needs to be an active participant in all aspects of the organization, including business development, supply chain and third-party vendors, and engage with the legal, internal audit and human resource departments to ensure adequate employee onboarding and offboarding practices.
Beyond the confines of the organization, boards should also review the level of participation in information sharing activities such as public-private partnerships, other channels in which peer organizations share cyberthreats and indicators, and relationships with relevant law enforcement agencies.
4. Assess the CISO’s Performance and the Organization’s Security Posture
In less than a decade, cyber risks have become a key issue for boards and top management. While some organizations had the foresight to create a CISO position early on, those positions might not currently be staffed by the right person for the job. Instead of having an IT-centric perspective, this security leader should approach security issues in terms of cyber risks and their impact on the organization’s ability to achieve its business objectives.
CISOs must become strategic advisers to their organizations, top executives and boards of directors, and they have to communicate frequently and effectively. This comes easily — almost innately, to some CISOs. Others struggle to communicate, due either to unfamiliarity with the territory or an organizational culture that still views the role as a limited, narrow position.
The NACD handbook urged boards to ensure that the metrics to evaluate the organization are appropriate. And since the language of the board is risk, boards should confirm that the organization has deployed a sound, risk-based approach to evaluating, reporting and managing cybersecurity, ensuring adequate protection for its most valuable assets.
In addition, boards are under increased pressure adopt one of the standard frameworks, such as the NIST Cybersecurity Framework (CSF) or a risk management standard from the International Organization for Standardization (ISO).
5. Actively Review the Cybersecurity State of the Organization
Board directors must have frequent discussions and continuously review the state of cybersecurity within the organization. Together with the CISO, boards should discuss lessons learned from recent incidents to fill any gaps and ensure that appropriate lessons are drawn and incorporated into incident response practices.
From a planning and oversight perspective, boards need to make sure that the organization is making adequate progress in shoring up its most critical cyber risks, leveraging internal audits and external penetration tests, and conducting red team exercises. For areas in which gaps remain, the board should take an active role in reviewing management’s plans and ensuring that appropriate resources have been provisioned.
The Future Depends on the CISO
A breach at any point in the organization’s systems can lead to a massive compromise of the entire network and, possibly, all the organization’s data. Given that cyber risks don’t respect the functional boundaries of the organization, the CISO-board relationship is one of the most critical dynamics in business today. The organization’s future depends on it.
For more insights from Chris Veltsos, listen to the podcast: Directors Are From Mars, CISOs Are From Venus
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato