Working with a cybersecurity committee of the board
I serve on the board of a publicly traded company. I fostered the creation of the board’s cybersecurity committee and I co-lead it. I’ve reflected on my work as a Global Black Belt, an advisor to chief information security officers (CISOs) and IT security and compliance teams, and studied best practices to set up a cybersecurity committee that best supports the company’s IT security posture. Part of this is fostering a productive relationship with our CISO, recognizing and communicating the great work of their team.
Tools like Microsoft Purview Compliance Manager, Microsoft Secure Score, and regulatory compliance dashboard in Microsoft Defender for Cloud are great ways for an organization to benchmark and communicate its security and compliance posture.
This blog post will offer these learnings to CISOs and IT security teams to set their relationship with the cybersecurity committee of the board up for success.
Microsoft Purview Compliance Manager
Meet multicloud compliance requirements across global, industrial, or regional regulations and standards.
The cybersecurity committee of the board
The United States Securities and Exchange Commission (SEC) adopted rules in July 20231 to expand the scope of its cybersecurity reporting requirements for publicly traded companies,2 making the governance of IT security by the board of directors and the cybersecurity expertise of board members reportable to the marketplace.
Corporate governance benchmarks including the Institutional Shareholder Services (ISS) ESG Governance QualityScore, widely used by analysts and for some executive compensation are including IT security measurements in their scoring.3 Cybersecurity is recognized as requiring governance from the board of directors. Boards are changing to make this possible.
The IT security function was viewed as the province of technical specialists, to be given some increased investment for a more hostile security landscape and in response to high profile security incidents. Cybersecurity was not considered a focus area of the board like finance, audit, or executive compensation. This has changed. Boards are seating directors with IT security expertise and asking for more communication from the IT security team, usually through the CISO.
Mandate of the cybersecurity committee
The mandate of the cybersecurity committee includes learning about the organization’s IT security team. To optimize the relationship, the security team needs to understand how the board and the cybersecurity committee work as well.
The cybersecurity committee will have a mandate, vetted and granted by the board members and likely the chief executive officer (CEO). This mandate will be set out in a corporate document that describes the responsibilities of the committee, the content, and frequency of their reports and the type of information they are to review. The CISO should understand the mandate and with it the scope of the committee to know how to best and most efficiently partner with them. A proactive CISO can contribute to the formulation of the mandate, avoiding conflict and inefficiency, and setting the relationship up for success.
Beyond the mandate document, the board will likely have public-facing Rules of Procedure. This document sets out the mission, duties, and operations of the board. It will likely also have a section describing the various board committees, their operations, and responsibilities.
The committee will be focused on discharging these responsibilities in an auditable way.
Time on the agenda of board meetings is at a premium. A typical two-hour meeting agenda might include:
- Approval of the last board meeting minutes.
- Review of first half results.
- Review of Environmental Social and Governance (ESG) report and ESG committee recommendations.
- Approval of board members’ expenses.
- Financial and business outlook.
- Business plan update.
- Review of next meeting dates.
Some of these are mandated by law, leaving little time for discretionary topics. There may be four or five such board meetings per year. The cybersecurity committee will have a slot on the agenda slot as will other business.
A board may receive a briefing from the CISO on current state and plan once a year. The CISO may be called on to provide ad hoc input on risks, incidents, or other emerging topics.
A cybersecurity committee is a subgroup of the board. It is led by one or two directors that have a relatively high level of cybersecurity expertise. They should:
- Understand the IT security function, policies, standards, current state, and plan.
- Offer their opinion as to how the current state and plan aligns with the company’s risk management posture and business objectives.
- Identify areas in current state and plan that need focus from the IT security function.
- Communicate blockers and advocate for the security function with the board and executives.
The committee is accountable for reporting to the board on these items.
Working with the cybersecurity committee
The board and the CISO need to align on how they will work together. They need to agree on efficient ways to get the information and context the committee needs to achieve its mandate.
This is an opportunity for the CISO to leverage their existing reporting and documents to the extent possible. A CISO who is proactive and suggests a framework will be a good partner to the committee. This will reduce the level of effort for the security team going forward.
The role of the board and the committee is to act on behalf of the shareholders to manage risk—not to manage the IT security team, the plan, or be accountable for cybersecurity. That’s the CISO’s job.
Board members often serve on multiple boards and have high profile roles in other organizations. They need information that is on target, that they can consume quickly, and report with confidence to stakeholders. Effective communication includes:
Context
What does it mean to the business?
Cybersecurity risk and planning should be communicated in similar format to the financial and business risk that the board is used to managing.
Progress to plan should be shown in context. A security roadmap for a minimum of three years should be shared with progress and changes tracked over time.
The focus should be on a holistic IT security strategy and architecture spanning infrastructure, services, internal, vendors, on-premises, cloud, and culture.
Objective data
Recommendations from the IT security team should be presented together with objective information that supports it.
Key performance indicators (KPIs) should be agreed upon and visualized over time to expose trends. The committee should see that the right things are being monitored but not expect to drill down into every KPI.
Objective outputs that can show trends and be mapped to investments in security include Secure Score in Microsoft Defender. Secure Score monitors platform as a service (PaaS) and infrastructure as a service (IaaS) cloud, hybrid, and on-premises environments in Microsoft Azure, Amazon Web Services, and Google Cloud Platform.
Microsoft Secure Score is a similar service focused on the improvement of security posture of a company’s Microsoft 365 software as a service (SaaS), including identity, devices, and applications.
The score, which is expressed as a percentage from 0 to 100, is shown with a list of recommendations that can be undertaken to meet security controls. These security controls should be considered for the security roadmap. As the controls are implemented, the Secure Score increases.
A company should not be focused on driving Secure Score to 100 percent but rather that the recommendations are considered in light of the company’s risk appetite and security roadmap. If the score is not rising as expected then the reason should be understood.
Similarly Microsoft Purview Compliance Manager provides Compliance Score for Microsoft 365. For Azure customers, Microsoft provides the regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds. These solutions are vehicles to help customers objectively assess and communicate the company’s compliance posture with their most important regulatory standards.
The updated security roadmap, with progress indicated, should be presented to the committee, and the KPIs should broadly track with this progress, allowing an increased confidence in the organization’s security posture and trends.
Align with the mandate of the committee
Working with the cybersecurity committee and the board will involve communicating to a diverse group whose first expertise may not be information technology. We need to teach.
We also need to learn. The committee operates within its mandate. Servicing this mandate is the primary focus of the committee. It will come before other subjects we may want to discuss. Map these subjects to the committee’s mandate.
The board operates within its rules of procedure. We will be much more effective if we are familiar with these. If we map our asks and replies to the committee’s mandate, our communication will be well received and we’ll strengthen the partnership. If we understand the rules of procedure we can avoid ad hoc engagement and communicate our message effectively.
The mandate may indicate that a report from the committee is due to the board in advance of the Annual General Meeting. If we’ve agreed on the information needed to service the mandate, we can be proactive about providing this. We can anticipate questions and put challenges in context with what they mean to the business and what we’re doing to address them.
Confidentiality
Some of the materials provided to the cybersecurity committee will require confidentiality. They should be watermarked or encrypted per company policy. Board members are not employees, and they probably don’t have a company email address or access to the company network. The tools and procedures will need to take this into account.
The reporting of the cybersecurity committee to the board is also confidential. Beyond bad actors, the information may be taken out of context by analysts or those seeking to harm the company’s reputation. Security controls should be agreed with the CISO to ensure that the documents provided to and produced by the cybersecurity committee will be limited in distribution to the committee, company leadership and the office of the CISO.
Some board documents are shared with shareholders and made available to the public, such as minutes of the board meetings. Where input from the CISO or the cybersecurity committee for these documents is needed, it should be made sufficiently general so as not to expose the company to risk.
Get started with committee collaboration
The formation of a cybersecurity committee as part of a company’s board will mean more scrutiny of the IT security function. More time will be devoted to communicating and reporting.
The CISO and their team will get visibility with the board and can use this to advocate for the resources and cultural changes they need to protect the company. Productive, efficient interaction with the committee can build a partnership with the board, which protects and adds value for the company.
Learn more
Learn more about Microsoft Purview Compliance Manager.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on X at @MSFTSecurity for the latest news and updates on cybersecurity.
1SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, SEC. July 26, 2023.
2SEC cyber risk management rule—a security and compliance opportunity, Steve Vandenberg. March 1, 2023.
3IT security: An opportunity to raise corporate governance scores, Steve Vandenberg. August 8, 2022.
READ MORE HERE