The Board of Directors Will See You Now
For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common practice for vendors to have e-books, webinars, and presentations about how and what chief information security officers (CISOs) should present to their boards — when they get the chance.
Along with lack of opportunity, CISOs might have anxiety about presenting to the board because they are the only C-level executives without a tool of their own to measure ROI. From Salesforce to Workday to Marketo, C-suite executives have platform solutions aggregating, analyzing, and reporting on every aspect of the operation. There is no such solution for the CISO, making it harder to measure security program ROI or to demonstrate business value.
The irony is that, despite all the interest in presenting to them, to say cybersecurity is not a core competency of the board is an understatement. WSJ Pro Cybersecurity Research investigated the professional background of all S&P 500 board members and found that less than 2% “had relevant professional experience in cybersecurity in the last 10 years.”
No matter who you are, it’s difficult to have great interest in something you don’t understand. That is, until you’re motivated to learn. What we have in front of us now is a great awakening for boards and cybersecurity, courtesy of the Securities and Exchange Commission (SEC).
According to Harvard Business Review, “a proposed SEC rule will require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the company’s cybersecurity policies, procedures, and strategies.”
I would expect more boards to be looking for experienced executives with a background in cybersecurity, starting right now. In the meantime, what does this mean for CISOs?
A Great Opportunity
With a sudden interest in cybersecurity, but little knowledge of it, what the board members want to know versus what they need to know may be quite different. For example, focusing too much on the latest attack in the headlines or focusing too much on compliance. Like teaching to the test, achieving compliance may be a good step in the right direction but is not always the same as striving to implement the best possible security measures. When achieving compliance becomes the security goal instead of minimizing risk and protecting the most critical assets, we’ve missed the point.
What an opportunity for the CISO to create a “cybersecurity as a business enabler” narrative for their organization. Your place in the boardroom is now secured. Instead of the occasional one-off update, you are now part of the business conversation on an ongoing basis. This is an opportunity to place cybersecurity in the context of business decisions that the board understands. Ditch acronyms and technical talk of threats, vulnerabilities, and attacks. Be fluent in the language of business and talk about the cyber consequences of business decisions that are made every day.
The use of SaaS apps that make employees more productive in a hybrid work environment also leaves the organization more exposed to risk, as critical business data is now in control of a third party. Business partnerships that drive geographic expansion, rushing new apps to market as fast as possible to capture market share, or acquiring to scale the engineering team all have tremendous cybersecurity consequences. For example, when you acquire a company, you also inherit its attack surface. It is not only a new group of employees who need access to enterprise resources, but all their contractors, partners, suppliers, and so on. It is a tangled, extended digital web of connected assets and implications.
Security leaders would be well advised to make cybersecurity tangible in a business context. Like any other part of the business, there are decisions to be made and trade-offs to consider, all related to what is the acceptable level of risk the organization is willing to expose itself to.
Automation and Evidence
Under the eyes of the SEC, the board needs evidence of what assets it is responsible for and how it is being monitored and proactively protected. In the event of a breach, when did the board know about it, and how fast did it respond and disclose the incident?
It starts with knowing what you are protecting and how you are doing that. Discovery of critical assets becomes a core competency that underpins visibility, classification, and remediation efforts in a modern cybersecurity program. Discovery and classification must be automated to deal with the size, movement, and growth of data and enterprise-connected assets across hybrid clouds, SaaS partners, and digital supply chains. Protection starts with complete visibility of this sprawling attack surface, including every dependency, connection, and vulnerability across all public-facing assets. From there, you can prioritize protections against the most critical threats to your most valuable assets.
Automated discovery can also identify assets that are dormant, unused, and unnecessary. In that way, they can be effectively decommissioned to reduce cyber-risk and attack surface sprawl at the same time.
Conclusion
Now is not the time to educate the board about the difference between malware and ransomware. It is about painting a complete picture of the threat landscape and the specific risks and exposures facing the organization. CISOs should be talking about the overall security program and strategic initiatives to enable the business while measuring and reducing risk.
Help the board understand where the business is vulnerable, where controls end, and where exposure begins. What are the consequences and protection options? At the end of the day, cybersecurity is a business challenge, like growing margins and market share. Strategic priorities and investments aligned to business objectives. Sounds so simple.
Read More HERE