Cybersecurity is the number one agenda item for corporate boards in 2018 according to a recent survey of directors. It’s no surprise that boards are focused on managing cybersecurity risks. Last year, a steady stream of headline-grabbing data breaches dealt a major blow to many companies’ earnings and valuations; some companies are still reeling from the impact. This year will also see the U.S. Securities and Exchange Commission (SEC) issue new breach disclosure requirements and the EU’s General Data Protection Regulation (GDPR) come into full force.
What does this mean for Chief Information Security Officers (CISOs)? Reporting to the Board of Directors has gone from being a possibility several years ago to a key job responsibility today. It’s now common for a CISO to provide a formal update to the audit committee quarterly and to the full board once or twice a year or more. Board members want to know, “What are the risks? What are we doing to manage them? Is it enough?”
To effectively answer these questions and develop an ongoing board communications strategy, CISOs often seek advice from their peers. How are others CISOs approaching this?
The Executive Security Action Forum (ESAF), organized by RSA Conference, is a great resource for facilitating this sort of information exchange. For 15 years, ESAF has been hosting regular meetings where members can candidly share ideas on common challenges in a confidential setting. The group consists of top CISOs from around the world ̶ security executives from Global 1000 companies ̶ who are committed to building a stronger community in information security. In recent discussions, ESAF CISOs have uncovered some leading practices on working with the board of directors that we think would benefit the larger community and we’d like to share them with you here.
Educate the board outside of formal meetings
Companies face a range of risks–from financial to competitive–so most board members have a lot of experience to draw on when it comes to understanding risk. Cybersecurity is just one more risk, but it is relatively new to the board. An important part of the CISO’s role is educating them about it.
In the first few board meetings, CISOs might include a session on “cybersecurity 101,” but it doesn’t make sense to repeatedly use up precious board meeting time going over cybersecurity basics. Instead, create opportunities outside of the regular meetings to educate the board.
- Offer cybersecurity education sessions preceding or following board meetings.
- Encourage board members to come visit your security operations or cyber fusion center.
Things to report to the board
What should a CISO be spending time on during a board meeting? At one ESAF session, CISOs were asked what they see as some of the “most effective things to report to the board,” key points included:
- Current relevant events … What are we doing to protect our organization? Are we ready?
- High profile incidents
- Changes to regulations
- Changes to threat landscape
- What are the most significant cybersecurity risks we are facing?
- How are we addressing these risks?
- How mature is our security program?
- Is it based on a framework? (i.e. NIST or ISO)
- How does it align to business strategy?
At a follow-up ESAF session, three board members who serve on 10+ corporate boards at Fortune 500 companies were invited to offer their response to the list above. They agreed with the CISOs’ key points and emphasized three areas to include in the report:
- Process to identify, prioritize, and mitigate risks
- Status of compliance to company policies
- Efficiency of the security program
The board members also suggested that the CISO select one or two strategic ideas that the board needs to pay attention to for the long-term interest of the company. Over time, the board can apply pressure to the entire company that will lead to the appropriate change.
Things NOT to report to the board
Both the CISOs and board members agreed about the least effective content. When reporting to the board, avoid:
- Technical or operational metrics
- Problems without solutions
- FUD: Fear, Uncertainty, and Doubt
Provide context to guide decision-making
Board members are not cybersecurity experts. Yet the board has to make a judgement call regarding whether the company is doing enough to manage cybersecurity risk. ESAF CISOs recommend covering these key points to help boards make this call:
- The nature of security
- It’s a journey, not a destination
- It’s dynamic: the posture may change given the adaptive methods of threats
- Effectiveness of the security program
- Show your ability to execute on security plans: describe roadmap and milestones
- Build confidence that you can handle a big incident: describe how the you constantly solve small incidents
- How the company compares to others
- Relevant benchmarking data
- Third-party assessments
Successful CISO-board communications require mutual understanding. Learn more about individual board members: their background, interests, and knowledge areas. Build relationships with directors who could help you address certain issues or champion particular initiatives. Have informal meetings to find out how they think you could use your time wisely in your board presentations.
Reporting to the board and other top-of-mind challenges will be explored at upcoming ESAF information sharing events, including the 15th annual meeting at RSA Conference in April. If you are a Global 1000 CISO and you’d like to be invited to our events, please contact Laura Robinson, ESAF program director at email@example.com.
The RSA Conference Executive Security Action Forum (ESAF) is an association of top information security and risk executives from Global 1000 companies and government agencies. This trusted Forum has a long history of frank, meaningful and confidential discussions and unparalleled networking among peers.
*** This is a Security Bloggers Network syndicated blog from RSA Conference Blog authored by Laura Robinson. Read the original post at: http://www.rsaconference.com/blogs/tips-from-top-cisos-reporting-to-the-board-what-works-what-doesnt