As the chief information security officer (CISO), it is important to effectively communicate with the board of directors (BOD) and its audit subcommittee about the organization’s cyber risk posture and strategy. This can help the BOD understand the potential impact of cyber threats on the organization and make informed decisions about risk management, including capital allocation and spend relative to industry peers.
Effective communication with the BOD requires understanding their perspective and priorities. The BOD is responsible for overseeing the overall management and performance of the organization, and they may be more concerned with financial and strategic risks than with technical details. It is important for the CISO to present information in a way that is relevant and understandable to the BOD, and to clearly articulate the potential impact of cyber risks on the organization’s bottom line.
Five Guidelines to Building a Strategic Relationship
Every time a CISO interacts with their BOD will be unique, so the most helpful approach to ensuring success is to develop a single strategy to use over the long run. Employed consistently using five rules of thumb, this strategy can yield a strong relationship based on trust and demonstrable value added.
Identify key performance indicators (KPIs)
BOD members appreciate evidence-based management. Use KPIS that are relevant and meaningful for the BOD. These are quantifiable metrics that can be used to measure progress and performance in a specific area. Common KPIs for a CISO to present might include:
The number of cyber incidents and their severity.
This KPI can help the BOD understand the frequency and impact of cyber incidents on the organization. Be sure to quantify the severity in terms of the percentage of network compromised, the number of divisions or the teams affected, the length of time critical systems were not functioning properly, or something equally concrete. Nebulous terms like “high impact” will not convey anything meaningful to the BOD and could come across as an attempt to obfuscate the true impact of any incidents that occurred.
The cost of responding to and mitigating cyber incidents.
This KPI can help the BOD understand the true financial impact of cyber incidents, so when assessing this KPI, consider reputational cost as well. Longer term, understanding mitigation’s financial and reputational costs can help the BOD more quickly ascertain the effectiveness of the organization’s response strategy.
The effectiveness of cybersecurity controls.
CISOs can measure this KPI using a framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is a widely-adopted framework that provides a set of industry-agnostic guidelines and best practices for managing cyber risk. By evaluating the organization’s cybersecurity controls against the NIST CSF, the CISO can help the BOD understand the organization’s current level of cyber risk and track improvement over time. The CISO may also consider pairing the NIST CSF with an industry-specific framework or standard relevant to the organization.
Frame in capital allocation
In addition to presenting relevant KPIs, it is also important for the CISO to provide context and perspective on the organization’s capital allocation and spend relative to industry peers. This can help the BOD understand whether the organization’s cybersecurity efforts are in line with industry standards and practices, and whether additional investments may be necessary to mitigate potential risks. This context also lays the groundwork for future discussion of additional investments necessary to respond to ever-changing cybersecurity threats and mitigate potential risks. The CISO can present this information in the form of benchmarking data or industry reports.
Be transparent and honest
When engaging with the BOD, the CISO must be transparent and honest about the organization’s cyber risk posture. This includes acknowledging any incidents, weaknesses, or vulnerabilities that exist, as well as discussing the steps being taken to address these issues. Recent high profile legal cases have highlighted the importance and need for awareness beyond company management that extends to the BOD when a material event has occurred. The BOD should be made aware of any potential material risks that could impact the organization’s operations or reputation, and the CISO should be prepared to answer questions and provide additional information as needed.
Because cyber risks can evolve quickly, it is also important for the CISO to be proactive in engaging with the BOD. In many organizations, a member of the BOD takes the lead on cybersecurity-related matters and serves as a point of contact and line to the board for the CISO. This individual may be responsible for overseeing the organization’s cyber risk management efforts and coordinating with the CISO and other relevant stakeholders. Outside of recurring audit committee meetings, the CISO should schedule ad hoc meetings when appropriate to discuss specific issues or concerns. When doing so, the CISO should ensure management is also informed on anything material that is discussed. By staying engaged with the BOD and keeping them informed about the organization’s cyber risk, the CISO can help ensure that the BOD is aware of potential material risks and in turn make informed decisions about risk management.
Collaborate with the BOD
The BOD also owes the CISO direction as it relates to the BODsT appetite for risk and what it considers key risks. This will help the CISO prioritize and focus efforts based on business needs and objectives. Both management and the BOD will be more inclined to provide the necessary resources and support for the CISO to carry out their responsibilities effectively if they understand how the proceeds are helping to mitigate the organization’s enterprise risk. This can be accomplished by collaborating with the BOD on the company’s overall risk management strategy.
Overall, effective communication and collaboration between the CISO and the BOD is critical for managing cyber risk within the organization. By presenting relevant and understandable information, being transparent about the organization’s cyber risk posture, and proactively engaging with the BOD, the CISO can help ensure that the BOD is aware of potential risks and can make informed decisions about risk management. At the same time, it is important for the BOD to provide the necessary guidance, resources, and support for the CISO to effectively carry out their responsibilities and protect the organization from cyber threats.
Want more on security program strategy? Check out our post exploring the adversarial nature of cybersecurity from a big picture perspective.