The pressure is on for corporate leadership to get a better handle on cybersecurity. But unlike other board governance processes that are a lot more mature (e.g., financial risks, market pressures), when it comes to cyber risks, boards need help — help that the chief information security officer (CISO) is uniquely positioned to deliver.
Boards want better insights into how cybersecurity management decisions are made and often complain of getting briefed with techno-babble and operational security metrics instead. How can CISOs better bridge the communications divide and improve the board’s ability to provide adequate oversight of cyber risks?
A recent report titled “Leveraging Board Governance for Cybersecurity,” issued by the Advanced Cyber Security Center (ACSC), a nonprofit effort to enhance cyberdefense and informed policymaking, helps shed light on the disconnect. Boards have a strategic role to play regarding cybersecurity, but are hampered by their limited understanding of cyber issues, the quality and frequency of the reporting they receive from management, and inadequate board governance structures that often hold back key information from the full board.
While some organizations have improved their board governance processes on cybersecurity issues, much of the work to drive progress falls on the shoulders of the CISO. The good news is that, unlike a decade ago, there is now a lot more information available to guide CISOs on key cybersecurity issues to take up with boards and, where appropriate, resources designed specifically for board directors — such as the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”
Engage Board Directors on Cyber Risks
A key finding from the ACSC report is that only 21 percent of boards said they had what can be described as a “full partnership” level of engagement regarding cybersecurity and digital transformation. What does a full partnership look like? It includes getting regular updates, engagement around cyber risk priorities, and actual discussions with feedback and consideration of cyber risks in both strategic and operational decision-making. Even when boards viewed security as an important issue, it was often given more of a cursory review; 53 percent of respondents reported that very few — 5 percent or less — full-board meetings focus on cybersecurity.
For CISOs, this provides an opportunity to ask just how well the board is able to provide strategic guidance for management’s risk decisions. Consider:
- Have board-level discussions impacted cyber risk decisions?
- Can the organization improve the way it frames strategic discussions to include key cyber risk concerns? Something more akin to the way the organization considers other risks and strategic decisions, such as financial risks or market growth?
- Are cyber risks tied to investment decisions?
- Is responsibility for cybersecurity embedded in all corners of the organization, and are cyber risks considered early on in the development and acquisition phases?
- Is there a C-level committee — a steering committee of sorts — that meets regularly, at least quarterly?
Both the ACSC report and the NACD handbook advocate for these improvements to board governance processes, and CISOs should leverage these resources fully.
Ensure the Board Has Sufficient Security Expertise
The report echoed a common complaint among CISOs: “Most boards do not yet have sufficient expertise in technology or cybersecurity to serve as strategic thought partners on cyber risk.” Furthermore, 38 percent of respondents said their board viewed cyber risks as just “somewhat significant,” a dangerous indifference that, as recent breaches and ransomware attacks have shown, can bring an organization to its knees in the blink of an eye.
While CISOs may not be able to change whether boards consider recruiting directors with cybersecurity expertise, they can work to provide additional education and training to existing board members about how cyber risks can impact the business. Such cyber briefings could even include taking a tour of the data center or visiting one of the increasing number of cyber ranges or simulation centers.
CISOs should take stock of the current level of knowledge of the full board and work to improve the board’s cybersecurity expertise. Board members should receive consistent training and enhance their cybersecurity expertise, whether that is delivered by the CISO, by engaging external cyber risk advisers or through third-party assessments.
Link Cybersecurity Investments to Measurable Business Outcomes
One of the key roles of the board is to ensure that cybersecurity investments are appropriate for the levels of risk faced by the organization. As part of their broader involvement to ensure an effective digital transformation, boards should review the organization’s cybersecurity budget.
While most security budgets have grown in recent years, they are still too often tied to a fraction of overall IT budgets instead of being considered independently for their ability to support and balance the organization’s growth strategy with the risks it faces. CISOs should keep in mind that bigger budgets will mean bigger asks by management and the board, so it is important for CISOs to be seen as good stewards of their organization’s cybersecurity investments.
Boards often ask, “How do we know when we’ve done enough?” That’s why investments in personnel, process improvements and technology should be directly linked to measurable outcomes — the expected impact on cyber risks — and also tracked in terms of helping the organization achieve its business objectives. Every security dollar should be spent with an eye toward supporting the organization’s overall business and security strategy and helping to balance risks with rewards.
Find the Best Risk Metrics for Your Organization
Another striking element of the ACSC report is the largely operational nature of cybersecurity metrics and measures being reported to boards today. Examples of these operationally focused metrics include the number of attacks stopped, number of machines patched, number of breaches per period, percentage of systems in compliance and security budget as a percentage of IT budget. Unfortunately, such metrics and measures do very little to help top management and boards make informed risk judgments.
Operational metrics have their value for CISOs during internal discussions with their teams and, to a limited extent, for discussions with management. But CISOs and boards should come together to agree on better risk metrics that are relevant to directors to help establish trust and engagement, and to improve the board’s ability to make informed risk judgments. This is also an opportunity for CISOs to work with legal counsel to determine if the security strategy is aligned with the organization’s duty to protect the information it is entrusted with.
CISOs Should Help Reshape Board Governance Around Security
It is undeniable that CISOs have a lot on their shoulders since they are tasked with operational responsibilities while also playing an increasingly strategic role. The CISO can be a partner in reshaping the board’s level of engagement around cyber risks by providing regular training and education, more directly connecting security investments with the expected benefits for the organization, and reporting with more strategic and less operational metrics.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato