“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” — Donald Rumsfeld, former U.S. Secretary of Defense
Board directors are under pressure to demonstrate effective oversight of cyber risks — something which, admittedly, they know little about. Is there anyone better suited to educate top leadership about cybersecurity than the chief information security officer (CISO)? Perhaps in a decade or two, those in CEO, chief financial officer (CFO) and board director roles will receive enough education and on-the-job experience to have a solid grasp of cyber risks.
The Boardroom Reality
According to Tom Fuhrman, managing director at Marsh Risk Consulting, the situation in the boardroom and the C-suite today is far from ideal. “Unfortunately, many boards do not currently have the required cybersecurity knowledge nor strategy to effectively combat this risk,” Fuhrman wrote.
Cyber risks are top of mind for boards. The National Association of Corporate Directors’ (NACD) “2016-2017 Public Company Governance Survey” revealed that 34 percent of board directors foresee cybersecurity threats as having the greatest effect on their companies over the next 12 months. A companion NACD article noted that many directors “wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk.”
When asked to describe their confidence level that their company is properly secured against a cyberattack, only 42 percent of directors said they felt confident or very confident. Additionally, 59 percent reported that it was challenging to oversee cyber risks.
According to Mark A. Pfister, CEO and chairman of the board at Integral Board Group, cybersecurity should be at the top of every board’s agenda. “The board needs to understand that the likelihood of a cybersecurity breach in their environment is imminent and should equally prioritize the ‘proactive’ as well as ‘reactive’ planning and response,” he said.
Still, the board’s role isn’t to micromanage cybersecurity operations. As Cleary Gottlieb reminded us, the role of board directors is to “oversee the implementation of appropriate systems and controls to protect against cybersecurity incidents,” and to ensure that the systems are effective. This requires an ability to recognize and understand weaknesses in the organization’s current security program.
Four Ways to Educate Executives About Cyber Risks
The CISO must step in and step up to empower board directors to properly oversee cyber risks. However, CISOs are strapped for time and resources, and many don’t know how to translate their deep technical knowledge of cyberthreats into business terms.
To bring security awareness to the board level, security leaders must be willing to revise their approaches to dealing with executives. Here are four ways that CISOs can play a key role in educating top leadership about cyber risks.
1. Strive for Regular Engagement
A recent Accenture report, “The Cyber-Committed CEO and Board,” noted that “as much as the CISO needs to understand business, the CEO needs to understand security and manage it like any other business risk.” While top leadership might not yet feel comfortable with their current understanding of cyber risks, regular engagement and feedback can help educate executives to help the CISO shift into more of a business-advisor role, instead of a guardian or technologist role.
In its “Director’s Handbook on Cyber-Risk Oversight,” the NACD advised CISOs and top leaders to make time to get to know each other away from the rush of board- and executive-level meetings. CISOs can provide advice about directors’ own personal technology as a way to break the ice and develop the relationship. Top leadership should also be invited to tour security operations, ask questions about the incident response process and participate in tabletop exercises.
2. Provide Regular, Business-Focused Updates
CISOs must adapt their own approaches to hold directors’ attention. Regular engagement with executives requires security leaders to improve their listening and communication skills, and present information about cyber risks in ways that make sense to board members.
The Accenture report advised CISOs to shift away from discussing operational security issues with the board and instead seek to communicate at a more strategic level, translating technically focused information in terms of the potential impact on business objectives. The report argued that interactions between the CISO and top leadership should “capture the strategic picture of cybersecurity in the business,” and that security leaders should “speak the language of business impact in all cybersecurity communications.”
3. Develop Cyber Risk Metrics and Dashboards
The NACD provided two appendices in its directors’ handbook to help CISOs reflect on their current reporting practices and refine them to meet the expectations of top leadership. Appendix E deals with board-level cybersecurity metrics, while Appendix F provides sample cyber risk dashboards.
The guiding principle is to avoid operational metrics, since these provide little strategic value for board directors. Metrics should be relevant, reader-friendly, meaningful, concise and a catalyst for further dialogue.
4. Be Open and Honest
The role of the CISO isn’t to shield top leadership from cyber risks — it is to translate and communicate these risks in terms of business impact. Security leaders must also be very frank about what the organization is doing well and areas that need improvement.
According to a Bay Dynamics report titled “A Day in the Life of a Cyber Security Pro,” many security leaders sugarcoat security issues when communicating with executives. This leads to unrealistic expectations across the leadership spectrum.
Directors need an accurate picture of the situation on the ground. The report noted, for example, that 30 percent of security teams spend large amounts of time dealing with false positive alerts. Security professionals also ranked “stress created by management” and lack of workforce resources as two of the most significant sources of anxiety in their organizations. Furthermore, security teams said they were overwhelmed by the volume of vulnerabilities (74 percent) and security incidents (79 percent) they need to address.
Improving the State of Cybersecurity
Speaking of areas that need improvement, in its “State of Cyber Security 2017” study, the Information Systems Audit and Control Association (ISACA) reported that only 31 percent of organizations routinely test their security controls, and 13 percent have never tested them. Even worse, 16 percent of organizations indicated they did not have an incident response plan.
These problems will persist until security professionals and board members get on the same page with regard to cybersecurity. Security leaders should openly discuss with directors ways to gauge the effectiveness of cyberdefenses — other than taking CISOs at their word — and the organization’s cyber resilience. The bottom line is that when security is weak, so is the business.