Recently, boards have been asking security and risk leaders for guidance on how to navigate a global pandemic, increased phishing threats and, potentially, a workforce unaccustomed to working from home.
The problem is, these questions are unanswerable. They are driven by exaggerated, incomplete or contradictory public information and are a distraction from more relevant questions.
Additionally, security leaders need to be able to give the board something that they care about and that is meaningful to them. Beyond individual passions and concerns, boards collectively generally care about three things:
Revenue, mission: Operating or nonoperating income and enhancing non-revenue mission objectives
Cost: Future cost avoidance and immediate decrease in operating expenses
Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation
As board members realise how critical security and risk management is, they are asking leaders more complex and nuanced questions. Boards today are becoming more informed and more prepared to challenge the effectiveness of their companies’ programs.
Most board questions can be categorised into five areas.
#1 The incident question
What it sounds like: How did this happen? I thought you had this under control? What went wrong?
Why it is asked: These questions are asked when an incident or event has occurred and the board either already knows or the CISO is informing them of it. This is particularly rele
vant for CISOs during the Covid-19 pandemic, when boards may be asking questions specific to securing the organisation while large portions of employees are working from home under unusual conditions. This could also be in reference to any other incident, including data breaches that may have impacted the organisation in general.
How to respond: An incident regardless of category is inevitable, so be factual. Share what you know and what you are doing to find out anything you do not currently know. In short, acknowledge the incident, provide details on business impact, outline weaknesses or gaps that need to be worked out, and provide a mitigation plan.
Be cautious not to endorse one option as the ultimate choice when in front of the board. The responsibility for oversight of security and risk remains with the security leader, but the accountability has to always be defined at the board, executive level.
#2 The trade-off question
What it sounds like: Are we 100% secure? Are you sure?
Why it is asked: Questions like this are often asked by board members who do not truly understand security and the impact to the business. It is impossible to be 100% secure or protected. The CISO’s role is to identify the highest-risk areas and allocate finite resources toward managing them based on business appetite.
How to respond: Considering the ever-evolving nature of the threat landscape, it is impossible to eliminate all sources of information risk. My role is to implement controls to manage the risk. As our business grows, we have to continually reassess how much risk is appropriate. Our goal is to build a sustainable program that balances the need to protect against the need to run our business.
#3 The landscape question
What it sounds like: How bad is it out there? What about what happened at X company? How are we compared to others?
Why it is asked: Board members will come across threat reports, articles, blogs and regulatory pressure to understand risks. They will always ask about what others are doing, especially peer organisations. They want to know what the weather looks like and how they compare to others.
How to respond: Avoid guessing at the root cause of a security issue at a different company by saying, I do not want to speculate on the incident at Company XYZ until more information is available, but I will be happy to follow up with you when I know more. Consider discussing a series of broader security responses such as identifying a similar weakness and how it is being fixed or updating business continuity plans.
#4 The risk question
What it sounds like: Do we know what our risks are? What keeps you up at night?
Why it is asked: The board knows accepting risk is a choice, if they do not, that is a challenge you need to solve. They want to know that the company’s risks are being handled. CISOs should be prepared to explain the organisation’s risk tolerance to defend risk management decisions.
How to respond: Explain the business impact of risk management decisions and ensure that your positions are supported by evidence. The second part is vital because boards are making decisions based on the risk tolerance. Any risks outside the tolerance level requires a remedy to bring them within tolerance. This does not necessarily require dramatic changes in short periods of time; beware of overreacting.
The board will be seeking assurances that material risks are being adequately managed, and that subtle, long-term approaches may be appropriate in some instances. Remember, the board is accountable for enterprise risk, of which cyberrisk makes up a small, albeit important, component of the organisation. Challenge yourself to be brief and to the point. A lack of a control is not a risk, and neither is the next big threat. Focus on the big-ticket items that you control – Loss of IP? Regulation? Third-party risk?
#5 The performance question
What it sounds like: Are we appropriately allocating resources? Are we spending enough? Why are we spending so much?
Why it is asked: The board will want reassurance that security and risk management leaders are not standing still. Board members will want to know about metrics and ROI.
How to respond: Use a balanced scorecard approach in which the top layer expresses business aspirations and the performance of the organisation against those aspirations is illustrated using a simple traffic-light mechanism. As much as possible, explain aspirations in terms of business performance, not technology. Performance is underpinned by a series of security measurements that are evaluated using a set of objective criteria.
- Security leaders need to be able to give the board something they care about and that is meaningful to them.
- Beyond individual passions and concerns, boards collectively generally care about three things – revenue, cost, risk.
- An incident regardless of category is inevitable, so be factual.
- Share what you know and what you are doing to find out anything you do not currently know.
- Be cautious not to endorse one option as the ultimate choice when in front of the board.
- Responsibility for oversight of security remains with the security leader, but accountability has to be defined at the board level.
- It is impossible to be 100% secure or protected.
- CISO’s role is to identify highest-risk areas and allocate finite resources toward managing them.
- CISOs should be prepared to explain organisation’s risk tolerance to defend risk management decisions.
- Avoid guessing at the root cause of a security issue at a different company.
- Remember, the board is accountable for enterprise risk, of which cyberrisk makes up a small, component of the organisation.
- Challenge yourself to be brief and to the point.
- Lack of a control is not a risk, and neither is the next big threat.
- Focus on the big-ticket items that you control – Loss of IP, Regulation, Third-party risk.
How secure are we? Why do we need more money for security? Chances are, most CISOs have heard these questions, from their boards of directors.