Last week at RSA Conference, Richard Clarke and Tim Callahan shared insights for CISOs on Communicating with the Board.
The two have participated in CISO-Board communications from all perspectives. Richard Clarke, chairman of Good Harbor Security Risk Management, regularly advises Board and CEOs of companies across all sectors, from telecommunications to manufacturing to transportation. He has also been a Board member of several technology companies, receiving briefings from the CISO (or telling the company it needed to hire one!) and being the Board’s point-person on cyber security risk. Tim Callahan is CISO of Aflac, a $35b multi-national insurance company, and is responsible for managing global cyber security risk and briefing the Board. He also serves on the Board of the National Technology Security Coalition, where technology executives and vendor companies meet to discuss technology security policy.
Clarke and Callahan outlined the five things any CISO-Board relationship needs:
1. Governance
The first part of governance is figuring out who on the Board is responsible for cyber security. CISOs need a cyber "champion" on the Board. Ideally, a point-person or committee leads, while the whole Board gets educated and engaged. Generally, the risk committee is a great place for cyber security risk, while Audit committees tend to be too busy and adopt an audit mindset that is insufficient to oversee evolving cyber security risks. The point-person or committee members do not have to be cyber security experts, but they should not be techno-phobic, either.
The second part of governance is getting the Board involved in overseeing cyber security risk management: the Board should review and ultimately approve a risk tolerance, which is a statement of what cyber security risks the company is willing to accept versus which must be mitigated or transferred. The Board should then review and ultimately approve a cyber security strategy that achieves the desired risk tolerance. Get the Board to approve a NIST Cybersecurity Framework target profile or maturity level and then show progress in moving toward it. Of course, the tolerance and strategy evolve over time.
2. Messaging
CISOs should constantly be messaging Boards with insights about cyber security to accomplish three things: first, to build an educational foundation, since many Board members are new to cyber security; second, to emphasize key themes to help the Board focus on the right priorities; and third, to demonstrate expertise and build the Boards confidence in the CISO.
Whenever a cyber security story makes the Wall Street Journal, CISOs should send the Board a quick note explaining what happened, why it matters, how it is relevant to their company, and what the company has done or should do (or not!) to mitigate any risks that the story highlighted.
3. Metrics
Boards need good metrics to understand companies’ cyber security risk profiles and to observe changes over time. Once the Board has approved a NIST Cybersecurity Framework target maturity profile (see Governance above), showing progress in moving towards it becomes an important and helpful metric for the Board. Other key metrics may focus on asset management, on cyber hygiene, on budget, on the team, on incidents, and more.
The important thing is to have a conversation with the Board about what they want to see on a dashboard, what the metrics mean, and how they should inform Board discussions and decisions. The Board should receive an "outside scan" score (like those provided by BitSight that are useful for benchmarking against peers) and a risk score based on inside-the-network information (like the digital resilience score provided by RedSeal). Too often, Boards and CISOs do not talk about the meaning and utility of metrics, and Boards receive metrics that don’t mean anything ("40,000 pings on our network this month!") or that can lead a company to focus on the wrong thing, like compliance over security. Having a conversation about metrics helps to make sure the Board gets the right value and insights from the right metrics.
4. Budget
In the words of former Vice President Joe Biden, “don’t tell me what you value. Show me your budget, and I’ll tell you what you value.” Overseeing budget resources and priorities is an important way for the Board to strengthen a company’s cyber security, so the CISO and Board should regularly communicate about it.
Specifically, the CISO should show the Board three things. First, the CISO should show the Board how much is being spent on what, and how that aligns with priorities that have been established after the Board approved the company’s risk tolerance and strategy.
Second, the CISO should show the Board how the company’s cyber security budget benchmarks against peers, either in absolute terms of total dollars spent or relative terms: IT security as a % of IT budget.
Third, the CISO should show the Board any budget requests that are rejected by management. Too often, after a company gets hacked, the Board (or CEO) finds out about a budget request that could have prevented the breach and that they might have approved, had they only known it was denied.
5. Exercises
Despite the best cyber security, bad things will still happen.
Don't let your first crisis be a real one.
Companies must practice crisis management through executive-level tabletop exercises (TTXs), simulations, and technical response and recovery drills.
TTXs are valuable for a few reasons. They get the executive team working together in a collaborative, whole-of-enterprise way, which is critical to success with any cyber security strategy. They educate management about emerging threats and risks, like wiperware or cyber-physical convergence, and help it discover non-obvious risks that could be material for the company. And, they build the executive team’s “muscle memory” for navigating cyber security crises.
The results of these exercises, good and bad, should be reported to the Board and incorporated into future reporting so the Board can easily track whether recommendations or fixes have been implemented.
A Board member should observe the TTX, but the Board should not be involved in operational decisions in a crisis. By observing the TTX, the Board member can gain confidence in the team and learn why operational crisis decisions should be left to the C-suite team.
Concluding Observations
Of course, every company is different: picking the right committee to oversee cyber security or the right metrics to report to the Board will vary from one company to another.
But, every CISO should attend to governance, messaging, metrics, budget, and exercises to ensure a fruitful relationship with the Board.
Lastly, the five key elements of the CISO-Board relationship need a catchy acronym. GMMBE isn’t cutting it. The call for suggestions is open!