Alliances and partnerships produce stability when they reflect realities and interests. ~ Stephen Kinzer
The old expression of “walk a mile in my shoes” is a fitting analogy for building a cyber safe organization. While there is no 100% guarantee of cyber security, the risk of cyber breaches can be greatly reduced when there is a good working relationship between the CISO, other department heads, and the Board.
A recent GSISS survey of the relationship between who the Chief Security Officer reports to and financial losses shows the importance of the Board – CSO/CISO relationship.
In the disruptive global business world of today and with risks stemming from individual hackers, criminal gangs and nation-state bad actors, the relationship between the CISO and the Board becomes increasingly important.
So, what are the elements that make up an effective CISO – Board partnership?
Both the CISO and the Board have significant accountabilities in building a partnership that helps reduce and mitigate breaches.
Role of the CISO
Seek to understand first, and then you will be understood.
Focus on the Business Issues: First and foremost, the CISO must understand the business issues that are important to the company and the board and are most impacted by cyber security. A good board will accept that their CISO has a grasp of the technical issues and are less interested in the mechanics of cyber security than how cyber impacts the business, especially financial and operational performance, brand value and investor confidence. Presentations to the Board should always start with the strategic and business objectives of the company and show how cyber security is critical to successful strategy execution.
Integrate Your Cyber Security Plan with the Company Strategic Plan: Cyber security should be one of the strategic pillars of the company strategic plan and the CISO should work closely with the Board in putting in place those cyber security initiatives that support the overall strategic objectives of the company. The CISO who develops his/her plans and budgets independently of the overall company strategy will find it both support and funding difficult.
Link Security to Business Metrics: Your team should work hard to present ROI information. For example, you can show the estimated amount saved when an attack is thwarted, or the ROI of quicker breach containment. When asking for additional support or funding, start with the risk of potential losses and end with an estimate of ROI.
Provide Forward-looking Insights: Most of the information a Board receives is nearly 2 quarters old. To support the Board and the company, the CISO’s team should work hard to present forward-looking insights, indicating both upcoming opportunities for greater security as well as upcoming potential threats. The use of extrapolations and predictive analytics are very useful in helping Boards plan and make better recommendations.
Educate the Board: Most Boards have one or two members with good technical backgrounds, but the majority have little expertise in cyber issues, but should be eager and open to learn. Don’t try to educate them all at once, but every presentation and meeting is an opportunity to add more to their knowledge about the importance of Cyber Security.
Provide the Board with Easy-to-Understand Oversight: Assuming the CISO has done a good job of educating the Board on Cyber Security, the next important step is to provide an easy to understand Cyber Security Oversight dashboard. We suggest the use of visuals and graphics as much as possible so that a quick scan can provide important insights into the current state of cyber security. We also strongly suggest that this oversight be forward looking and state future potential risks, again with ROI and financial and strategic implications.
Give members of your team Board exposure: The entire Cyber Security team is critical to protecting the organization and it is important for the Board to have exposure to members of this team and to understand their dedication and commitment to keeping the organization safe. This is also an opportunity for members of the Cyber team to develop their skills at presentations and responding to questions.
Bring Other Functions onto a Cyber Safety Team: Cyber security is a team sport and we strongly believe it is the responsibility of the CISO to integrate all other company departments and functions into understanding their individual and collective roles in cyber safety. In many organizations, poor cross-functional cooperation and communication is a significant cyber risk.
Ask: How Can I Better Support You? At the end of every CISO presentation to the Board, it is useful to ask the Board what else they need and how the Cyber Security team can better support them. This often elicits important insights that otherwise might go undiscussed.
Role of the Board
A One-Way Partnership Doesn’t Work
Study the Board Pac: First and foremost, every member of the Board should spend quality time studying the Board Pac well before the upcoming meeting and prepare their list of questions and concerns. Two things often stand in the way of good preparation for a Board meeting. The first is a late pack that is sent our just a few days before the meeting. Board members should demand that the company deliver the upcoming Board pack at least 10 days to 2 weeks prior to the meeting.
The second issue impacting preparation is the size of the Board pack. There is no reason for a Board pack to be 300 pages long, yet that is often the case. Large, unreadable and undigestible Board packs often contain boiler plate elements from previous Board packs and rarely summarize the information, believing that completeness is better. The fact is, no Board member will read a 300 page pack, especially one sent our just a few days before. The Board Chairman should demand that management produce a concise and easily understood pack so the Board can do its job; to openly discuss and provide guidance on important issues.
Do your homework: In many Board meetings, when the topic of Cyber Security comes around, only a few of the technically savvy Board members engage in the discussion. Much of this silence is due to lack of understanding the basics of cyber security. We strongly suggest that every Board member read the overview book, Cyber Security for Dummies or an equivalent. Cyber security impacts everyone and the modern Board member should, at the very least, understand the basics.
Demand An Enterprise Cyber Security Approach: To fully protect the company and mitigate risk, the Board should demand that all key functional heads participate fully with the CISO in forming an Enterprise Cyber Safety Committee. Cyber security is too important for one function to shoulder all the accountability. We suggest that one Board member be an ad-hoc member of this committee and promote the overall enterprise view of risk and security. All departments must work together to promote a cyber safe culture.
Ask: How Can The Board Better Support You? While a good Board discussion involves many questions concerning cyber security and the future risks to the company, it is always a good practice to end with asking the CISO what help they need from the Board. Again, this question often opens up fruitful lines of discussion.
An Important Partnership
Strengthening the working relationship between the Board and the CISO is in everyone’s best interest and since risk mitigation is a key role of the Board, we encourage Board Chairman to make this partnership a priority.
For More Information on the role of the Board in establishing a cyber safe culture, contact:
John R Childress, email: firstname.lastname@example.org