In the wake of countless high-profile data breaches and cyber attacks over the past several years, cybersecurity has become a board-level concern for global, publicly traded and private companies. Updating an organization’s board of directors on past threats, potential risks and the mitigation measures established to prevent them falls to the chief information security officer (CISO). And it’s a responsibility best not taken lightly.
“Even for the most experienced CISOs, going to the board is an area they invest time and effort in – no one is complacent about how these meetings go,” said Vodafone CISO Emma Smith.
Communicating a very complex subject to an audience whose expertise likely lies elsewhere can be a challenge. To provide an effective update, CISOs not only need to communicate any incidents that occurred since the previous update, introduce new cybersecurity initiatives and discuss changes to the risk landscape, they need to do so within the context of their business.
The RSA Conference™ Executive Security Action Forum (ESAF), a trusted, invitation-only community for Fortune 1000 security executives, recently surveyed a number of its member CISOs on their approach to preparing for and communicating to their organization’s board of directors, including how they decide what information to include and how to educate a business-focused group on very technical topics. The research was steered by the ESAF Program Committee, a group of 15 CISOs from global companies, including Bayer, Capital One, Cisco, Evernorth (Cigna), HCA Healthcare, Infosys, Leidos, Liberty Mutual, McKesson, Meta Platforms, Procter & Gamble, Sony, Vodafone and Walmart. ESAF released its full research report, which includes rich insight from CISOs at the world’s top brands and contains charts, graphs and insight from real-world, anonymized board meetings. Some of the topline findings follow.
Understand the board’s objectives
Boards of directors need assurance that an organization’s security risks are being managed carefully. If there is a breach, and it later becomes evident that the board was not dutiful in its oversight of the company’s security initiatives, individual board members can be held legally liable. Because of this, it is important for CISOs to relay their organization’s cybersecurity strategy and the plan for achieving it in layman’s terms to ultimately get the board’s endorsement of both.
“If you can’t get the board on your side with your strategy and how you’re pursuing it, that’s an existential problem for the role you are sitting in,” Brad Arkin, senior vice president and chief security and trust officer for Cisco, said on a recent webcast with RSA Conference. “Being able to walk them through this as non-experts and get them comfortable when they’re not able to assess exactly how you’re doing with their own skills – it’s a communication challenge. And for someone who spends most of their day looking at IT problems, it can be tough.”
Given board members’ expertise in business and finance, it is important for CISOs to provide context to the global risk profile as well as the cybersecurity risks specific to their organization. “There’s an education process because many times, what they’ve read in the Wall Street Journal might not be the No. 1 risk for me and my environment,” Arkin said. “I need to help give them context on how I understand the risk landscape facing our organization.”
Provide a balanced perspective
There are many factors that determine the topics addressed in updates to the board and the level of detail presented. Depending on the board’s expectations, the vertical industry and regulatory environment the company operates in, business objectives and the CISO’s own perspective, topics typically include:
- Changes in the risk landscape – this is mostly focused on threats but can also include new regulations or contractual obligations
- High-priority risks – these include the cyber risks or risk factors that have the CISO’s attention right now
- Security maturity score – this provides an overview of the company’s security posture
- Security initiatives – these update the board on the progress of existing projects as well as new ones
- Security incidents – this informs the board of any breaches, threats or other activity that have significantly affected the company
While topics can evolve over time, and there might be a need to update the board on recent events, such as a new threat type that the CISO is keeping an eye on, CISOs strive for consistency in these updates. J.R. Williamson, senior vice president and chief information security officer for Leidos said, “Ultimately, from quarter to quarter, the board isn’t going to remember all these specifics, so what they really want to know is how we’re trending.”
Rely on the data
Many CISOs include an emphasis on metrics in their quarterly and annual board presentations. The metrics used are dependent upon the objectives of the board as well as the cybersecurity initiatives the company is pursuing. Using data gives board members confidence that the CISO and security team are tracking data and using it to make strategic decisions. When provided consistently, data also set a level of transparency about the team’s performance.
CISOs typically focus on a handful of key metrics when developing their board presentations, selecting ones that connect with the company’s business objectives and address the highest risks, demonstrate the progress of security initiatives and communicate that a security threshold has been crossed. Additionally, CISOs often take their cues from the board itself, including updates for questions members have asked in previous meetings.
“Those qualitative assessments allow an organization to drill down to and consider both the likelihood, impact, velocity, duration, and when it comes down to cyber as a business risk, the interdependency of those risks that help the board make important decisions,” Williamson said.
For more information on how CISOs approach presenting to the board of directors, download What Top CISOs Include in Updates for the Board: Exclusive Insights from RSAC Executive Security Action Forum.