As part of our recent Conversations with Leaders virtual conference, a roundtable of current and former CISOs and a cybersecurity attorney discussed key messages and how to deliver them to ensure Board interactions are relevant, educational, and impactful for their governance.
At the top of any company is the Board. These are the directors who generally don’t manage the business day-to-day but provide governance, guidance and oversight to the senior executives who do. Most importantly, in a legal sense the buck stops with the Board – they are the ones who have a legal obligation to ensure the business is run diligently within the law and in line with regulations.
Board members – particularly independent or external directors (in the UK these are called non-executive directors, or NEDs) – are seldom in the building. They rely on the executive team to keep them informed, and CISOs must feed the executive team with what they need to pass to the Board. So how do we do it? This was the topic of conversation in the closing discussion of the ISC2 virtual conference Conversations with Leaders.
Making Sure the Message Gets There
One of the first things we need to be sure of is that the information we put together for the board gets to them in the form we intended. Many CISOs have experienced the security story where the data we submit, which screams “Danger Will Robinson” and tells of major risks has somehow become a serene summer meadow scene that calmly tells the Board: “Nothing to see here.” Brandon Dunlap, moderator of the discussion, clearly had prior experience, noting: “Sometimes someone else is carrying the flag for you, right? You may report to the CIO, they may take your slides, cut half of them out, and then go in with this ‘I'm going to look good, because I've got this under control’, and might not have the right kind of conversation.” If there is a good-news story we should of course tell it, but it is even more important that we tell the Board how it is: it’s above our pay grade to decide what they should and should not hear.
As Juan Gomez-Sanchez, VP and Global Information Security Officer at Whirlpool noted in the discussion, “It's the natural tendency of everyone who presents to the Board to look good, right? Our roles as CISOs are not necessarily to look good, but to be transparent. The last thing you want as a CISO is to present a picture and then bad things happen the Board comes back and says, ‘But you told me it's a good picture, how do you relate to those two things?’.” He summed it up succinctly: “Ultimately, there are problems, you're going to have to present those problems.”
How a Board wants to hear about cybersecurity
Very few Boards have any cybersecurity knowledge; those that do, the knowledge tends not to be particularly technical. So, we as security specialists must learn how to speak in the Board’s language and that language is risk.
No two organisations are identical and so the appetite for each type of risk will vary from place to place. Jennifer Sosa, Director of Consulting and Information Governance at TransPerfect explained, “You might say ‘Listen, as an organisation, we realise that there's this regulation out there, we think the likelihood that we're going to be affected by its application to us is very low. So, we're going to sort of run up against it until we can't’. Other organisations might say ‘Look, I have no appetite to tango with a particular regulation so I'm going to keep a really tight ship and try to follow it as close to the letter as possible’.”
Now, measuring risk is a case of combining likelihood (the probability of something adverse happening) with impact (the effect of the event on the company) and the second of these two receives the most focus from the group.
Impact can take any number of forms: financial (e.g. fines or lost revenue), environmental (e.g. a discharge of something nasty into the water table), reputational (e.g. negative press coverage), personal (e.g. someone being injured) the list goes on. Of course, most incidents will have more than one type of impact. Juan said, “I have yet to come across cyber impact that hasn't resulted in business impact.” Boards understand impact, so we can take advantage of this by communicating our cyber risk in that context. “I will challenge that 95 of something on some pool of servers or infrastructure to, let's say, a board member, means nothing because I haven't tied that something to an impact?” Juan added.
Malcolm Harkins, Chief Security & Trust Officer, Epiphany Systems (and former staff member at chipmaker Intel), added some context. “Go back to Intel. Back in the early 2000s, I helped build the Enterprise Risk Management (ERM) stuff that was led by Internal Audit and a few other things. When I landed in security a couple of years later, well, I just went to the ERM, you’ve got loss of the factory, fire, flood, earthquake, whatever … okay, well, great. The board understood that. Now my job was to say, ‘How can I, quote unquote, lose factory output because of a cyber incident?’.”
When it comes to deciding what to report, it was suggested to start by thinking of a potential impact and work backwards. Juan described the method, “Go through the business impact. Understand it, go and talk to the finance team, whoever you need to talk to. What's a bad day for us? And then back it up? Just say, ‘How can a cyber event result in that? And I think that's the easiest way and, you know, foolproof way of getting the attention of the people that you need to get the attention.” Malcolm added, “We should also expect the boards to be more cyber savvy, just like you wouldn't expect somebody to be on the board who doesn't know what a looks like."
Board contact is at a premium
Finally, we need to make the most of the time the board spends consuming the cyber-related information we give them – whether it’s in person or just from reading a slide deck that’s emailed to them. Brandon noted, “I know people that get 15 minutes twice a year with the Board. I know some people that get an hour, but it's with the audit and risk committee and it's every quarter.” Board bandwidth is at a premium, so make the most of it and don’t try to tell them everything. Don’t bother with 20-page slide decks; the shorter the better, and if there are more than two or three slides that’s probably too much.
Clearly indicate the top few cyber risks that stand a reasonable chance of something bad happening and which, if they do, will have the biggest impact. Give an estimate of the various impacts they will have. Use numbers where you can and try to avoid subjective opinions – if they want your opinion on a fact you provided, they can ask. Don’t go wild with good news stories, as the things that are going great are unlikely, by definition, to be something they will worry about – except where the good news story is that a massive risk you reported previously has now been mitigated, as this will close it off in their minds.
And make it clear that you are available if they need you. Yes, your formal contact with them will be minimal, but forging an ongoing relationship with one or two of them can be massively helpful.
Communicating entirely in cyber-speak to people who don’t speak it natively is always going to have a sub-optimal result. Do what you can to speak the Board’s language. Give them what they want clearly and concisely. Prioritise it based on the potential impact to the business of something going bad, not your personal – potentially biased – opinion of what you think is important.
Because they are the ones who, eventually, must deal with the fall-out of something bad happening. So, the more you can forewarn them, the more they can give you backing to help fix the items that fall outside their risk appetite.