CxO Insight: Reporting Cybersecurity to the Board
by Clarke Rodgers, Enterprise Strategist, AWS Enterprise Strategy
Over the last several months, one of the most common discussions I have had with members of the C-Suite is around how to effectively report and/or discuss cybersecurity with the organization’s Board of Directors (BoD) and/or Senior Leadership Team (SLT).
Before I get into the details, let me do some level-setting around this blog post and its intended audience. I meet with enterprises of all sizes, industries, and maturity. This blog post is not designed to address EVERY situation, but cover MOST, based on the 1:1 and 1:many discussions I have participated in with customers. On one end of the spectrum, the CISO may meet with their respective BoD once a quarter, have the audit committee members’ mobile numbers, and be fortunate to have BoD members leaning in to cybersecurity topics. On the other end, cybersecurity is covered in five minutes as part of a CIO/CTO’s technology overview, cybersecurity is viewed as a necessary evil of doing business, and the BoD members could not be less interested in IT, much less cybersecurity. As is the case in many situations, your organization is most likely somewhere in between those two extremes. Lastly, while I’ll be using the term BoD for consistency purposes, you may or may not have a BoD; you may be privately held, so just replace the concept of BoD with your most senior-level decision-making body at your organization.
As organizations have become increasingly digital over the years, the topic of cybersecurity has grown in prominence across said organizations. The idea of building a mature security culture, building in security early to development pipelines, and testing incident response plans have become more the norm than not. Cloud and cybersecurity fluency have made their way out of IT and into the most senior executive’s vocabulary. And finally, with so many newsworthy cybersecurity events that get the BoD’s attention, they are asking questions like “could this happen to us?” and/or “are we protected?” The increased reliance on having a strong cybersecurity posture has demanded the attention of BoDs, and with that attention brings the responsibility of reporting business-relevant, timely information in a clear and concise manner from the CISO.
Here are five tips a CISO (or other CxO responsible for cybersecurity) can use to maximize their limited time with the BoD:
Stats Are Not Helpful Without Context
Patching status, vulnerability scan results, security remediation burn down rates, and the like are all important things to keep track of but are not typically the level at which to engage with the BoD, nor do you want them that deep in the weeds in your security program. To be clear, security metrics are still important and should be made available as an appendix for those who are interested but leading with them is typically not the best course of action. Instead, speak to the business value your security programs are providing. Understand the priorities to the business and reflect your reporting accordingly. “As an update to the program I mentioned in our last session, it has resulted in X% less security remediation work in business unit A so they were able to securely ship critical features Y-Z ahead of schedule. We will now implement the same program across the remainder of the business units, where we expect similar outcomes, resulting in more user engagement/spend/etc.” Lastly, be conscious that in some cases the risk tolerance of one business unit may differ from that of another; there isn’t always a one-size-fits-all view across the organization. CISOs must understand those nuances and be prepared to articulate their views accordingly.
Elevate the Geek Speak
It is very easy for security professionals to wax poetic about this vulnerability, that threat actor, and all the associated problems that could happen should those two meet. It is in our comfort zone; it’s one of the reasons we got into the industry in the first place. However, one of our main responsibilities is to articulate that risk in a language that other people understand. BoDs understand risk in terms of reputation, financial, operational, and concentration, among others. So, when reporting cyber risk to your BoD, focus on reporting it in a way that makes the most sense to your audience. Think “Business unit A’s revenue/customer growth could be impacted next quarter by up to X% since they have items to address in their security backlog. One such item on that backlog is currently being exploited by crime syndicates. There are a couple of mitigants my team can put in place as a backstop, but they will require some unplanned funding/work/etc.” versus “Business Unit A didn’t patch their 325 Linux servers last quarter, and there is a zero day in the wild that could potentially get them owned. My team might be able to address this, but we’re going to need money to do so.”
Align to a Standard
Many boards want to know “how we’re doing in relation to our industry and/or competitors.” While you can take issue with that perspective, it is a common enough question that you should be prepared to answer it. In order to do that effectively, you should be aligning your security program to some standard in order for benchmarks to have any meaning. Our more regulated customers are familiar with NIST 800-53, SOC, NYDFS, ISO27001, etc., but even if you’re not in a regulated industry, being able to benchmark yourself against something will allow for an objective assessment is extremely helpful. CIS Benchmarks are a good start, as well as Cloud Security Alliance, and NIST-CSF. Lastly, if you are a member of one of the many ISACs, leverage your learnings from there to paint the picture to the BoD where your organization stands in relation to your peer group.
Know Your Board
It is important to learn about the makeup of your BoD. Do some research about who they are, what their respective backgrounds are, and what other boards they are members of. Knowing your board will help you better frame your cybersecurity message in a context that matters to them. Look for a way to develop out-of-reporting cycle relationships with your BoD members—remember, they are human, they like coffee, lunch, and dinner too! One CISO customer I know went as far to reach out to a fellow CISO at a company (a competitor, in fact) where they shared a common board member to better understand how best to interact with that board member. Even though they are competitors in a business sense, the two CISOs shared knowledge to strengthen their respective organizations and to be more effective in their board presentations. Another regularly exchanges text messages with their audit committee lead—as with many aspects of life and business, it is the relationships/trust one develops that matter.
Inform the Board Out of Cycle (Security Marketing)
While you may report to the board one to four times per year, that doesn’t mean communications are limited to those occasions. Consider curating a “Cybersecurity Update” email newsletter that gets distributed to your SLT and your BoD. Include current security events that are pertinent to your industry (for example, some great resources for keeping up to date include krebsonsecurity.com, darkreading.com, national and international news sites, as well as paid for options like IANsresearch.com, among others), updates on internal security/compliance initiatives, and internal security “kudos” where appropriate. These more frequent updates will give your SLT/BoD a better sense of what is going on between BoD meetings and allow the in person discussion to be more focused when you are present in the board setting.
Ultimately, you must develop a relationship with your BoD. You are not only an educator, but a confidante, a business advisor, and a risk assessor for your organization. If you view yourself simply as the “security tech person” that is how you will be viewed by the BoD.
Here are some third party links that I’ve found helpful in my discussions with customers; hopefully, you’ll find them useful as well.
Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025
5 Security Questions Board Will Definitely Ask
Security & Risk: How to Talk Digital Risk with The Board
Resilient Governance for Boards of Directors, Considerations for Effective Oversight of Cyber Risk
NACD Boardtalk: To Accelerate Digital Transformation, Follow These Tactics