Cyber Security, the CISO and the Board: A Critical Partnership

Alliances and partnerships produce stability when they reflect realities and interests. ~ Stephen Kinzer

The old expression of “walk a mile in my shoes” is a fitting analogy for building a cyber safe organization. While there is no 100% guarantee of cyber security, the risk of cyber breaches can be greatly reduced when there is a good working relationship between the CISO, other department heads, and the Board.

A recent GSISS survey of the relationship between who the Chief Security Officer reports to and financial losses shows the importance of the Board – CSO/CISO relationship.

In the disruptive global business world of today and with risks stemming from individual hackers, criminal gangs and nation-state bad actors, the relationship between the CISO and the Board becomes increasingly important.

So, what are the elements that make up an effective CISO – Board partnership?

Both the CISO and the Board have significant accountabilities in building a partnership that helps reduce and mitigate breaches.

Role of the CISO

Seek to understand first, and then you will be understood.

Focus on the Business Issues: First and foremost, the CISO must understand the business issues that are important to the company and the board and are most impacted by cyber security. A good board will accept that their CISO has a grasp of the technical issues and are less interested in the mechanics of cyber security than how cyber impacts the business, especially financial and operational performance, brand value and investor confidence. Presentations to the Board should always start with the strategic and business objectives of the company and show how cyber security is critical to successful strategy execution.

Integrate Your Cyber Security Plan with the Company Strategic Plan: Cyber security should be one of the strategic pillars of the company strategic plan and the CISO should work closely with the Board in putting in place those cyber security initiatives that support the overall strategic objectives of the company.  The CISO who develops his/her plans and budgets independently of the overall company strategy will find it both support and funding difficult.

Link Security to Business Metrics:  Your team should work hard to present ROI information. For example, you can show the estimated amount saved when an attack is thwarted, or the ROI of quicker breach containment.  When asking for additional support or funding, start with the risk of potential losses and end with an estimate of ROI.

Provide Forward-looking Insights: Most of the information a Board receives is nearly 2 quarters old.  To support the Board and the company, the CISO’s team should work hard to present forward-looking insights, indicating both upcoming opportunities for greater security as well as upcoming potential threats. The use of extrapolations and predictive analytics are very useful in helping Boards plan and make better recommendations.

Educate the Board: Most Boards have one or two members with good technical backgrounds, but the majority have little expertise in cyber issues, but should be eager and open to learn. Don’t try to educate them all at once, but every presentation and meeting is an opportunity to add more to their knowledge about the importance of Cyber Security.

Provide the Board with Easy-to-Understand Oversight:  Assuming the CISO has done a good job of educating the Board on Cyber Security, the next important step is to provide an easy to understand Cyber Security Oversight dashboard.  We suggest the use of visuals and graphics as much as possible so that a quick scan can provide important insights into the current state of cyber security.  We also strongly suggest that this oversight be forward looking and state future potential risks, again with ROI and financial and strategic implications. 

Give members of your team Board exposure: The entire Cyber Security team is critical to protecting the organization and it is important for the Board to have exposure to members of this team and to understand their dedication and commitment to keeping the organization safe.  This is also an opportunity for members of the Cyber team to develop their skills at presentations and responding to questions.

Bring Other Functions onto a Cyber Safety Team:  Cyber security is a team sport and we strongly believe it is the responsibility of the CISO to integrate all other company departments and functions into understanding their individual and collective roles in cyber safety.  In many organizations, poor cross-functional cooperation and communication is a significant cyber risk.

Ask: How Can I Better Support You?   At the end of every CISO presentation to the Board, it is useful to ask the Board what else they need and how the Cyber Security team can better support them.  This often elicits important insights that otherwise might go undiscussed.

Role of the Board

A One-Way Partnership Doesn’t Work

Study the Board Pac:  First and foremost, every member of the Board should spend quality time studying the Board Pac well before the upcoming meeting and prepare their list of questions and concerns. Two things often stand in the way of good preparation for a Board meeting. The first is a late pack that is sent our just a few days before the meeting. Board members should demand that the company deliver the upcoming Board pack at least 10 days to 2 weeks prior to the meeting.

The second issue impacting preparation is the size of the Board pack.  There is no reason for a Board pack to be 300 pages long, yet that is often the case. Large, unreadable and undigestible Board packs often contain boiler plate elements from previous Board packs and rarely summarize the information, believing that completeness is better. The fact is, no Board member will read a 300 page pack, especially one sent our just a few days before. The Board Chairman should demand that management produce a concise and easily understood pack so the Board can do its job; to openly discuss and provide guidance on important issues.

Do your homework:  In many Board meetings, when the topic of Cyber Security comes around, only a few of the technically savvy Board members engage in the discussion. Much of this silence is due to lack of understanding the basics of cyber security.  We strongly suggest that every Board member read the overview book,  Cyber Security for Dummies or an equivalent. Cyber security impacts everyone and the modern Board member should, at the very least, understand the basics.

Demand An Enterprise Cyber Security Approach:  To fully protect the company and mitigate risk, the Board should demand that all key functional heads participate fully with the CISO in forming an Enterprise Cyber Safety Committee.  Cyber security is too important for one function to shoulder all the accountability. We suggest that one Board member be an ad-hoc member of this committee and promote the overall enterprise view of risk and security. All departments must work together to promote a cyber safe culture.

Ask: How Can The Board Better Support You?  While a good Board discussion involves many questions concerning cyber security and the future risks to the company, it is always a good practice to end with asking the CISO what help they need from the Board. Again, this question often opens up fruitful lines of discussion.

An Important Partnership

Strengthening the working relationship between the Board and the CISO is in everyone’s best interest and since risk mitigation is a key role of the Board, we encourage Board Chairman to make this partnership a priority.

For More Information on the role of the Board in establishing a cyber safe culture, contact:

John R Childress, email: jrchildress@cultursys.com

About johnrchildress

John Childress is a pioneer in the field of strategy execution, culture change, executive leadership and organization effectiveness, author of several books and numerous articles on leadership, an effective public speaker and workshop facilitator for Boards and senior executive teams. In 1978 John co-founded The Senn-Delaney Leadership Consulting Group, the first international consulting firm to focus exclusively on culture change, leadership development and senior team alignment. Between 1978 and 2000 he served as its President and CEO and guided the international expansion of the company. His work with senior leadership teams has included companies in crisis (GPU Nuclear – owner of the Three Mile Island Nuclear Plants following the accident), deregulated industries (natural gas pipelines, telecommunications and the breakup of The Bell Telephone Companies), mergers and acquisitions and classic business turnaround scenarios with global organizations from the Fortune 500 and FTSE 250 ranks. He has designed and conducted consulting engagements in the US, UK, Europe, Middle East, Africa, China and Asia. Currently John is an independent advisor to CEO’s, Boards, management teams and organisations on strategy execution, corporate culture, leadership team effectiveness, business performance and executive development. John was born in the Cascade Mountains of Oregon and eventually moved to Carmel Highlands, California during most of his business career. John is a Phi Beta Kappa scholar with a BA degree (Magna cum Laude) from the University of California, a Masters Degree from Harvard University and was a PhD candidate at the University of Hawaii before deciding on a career as a business entrepreneur in the mid-70s. In 1968-69 he attended the American University of Beirut and it was there that his interest in cultures, leadership and group dynamics began to take shape. John Childress resides in London and the south of France with his family and is an avid flyfisherman, with recent trips to Alaska, the Amazon River, Tierra del Fuego, and Kamchatka in the far east of Russia. He is a trustee for Young Virtuosi, a foundation to support talented young musicians. You can reach John at john@johnrchildress.com or john.childress@theprincipiagroup.com
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s