Editor’s note: This is a guest post by Matt Kelly, CEO and Editor-in-Chief of Radical Compliance, a website devoted to corporate compliance, audit, and risk management issues.
Boards of directors want assurance on many issues. One concern always at the top of the list: cybersecurity.
Knowing what to report to the board about security, however, is no easy thing. Board directors might lack expertise in cybersecurity issues, and end up dwelling on unimportant details while ignoring larger strategic questions. Conversely, your organization might lack a mature security process, and fall into the trap of just answering whatever questions the board asks.
That poses challenges for the CISO. He or she needs to cultivate an ongoing conversation with the board about cybersecurity: the right metrics to present, important processes to explain, urgent needs to convey. That’s the foundation of useful reporting to the board.
So how does a CISO get there?
Ground the Board in the Basics
First, give the board guidance on what you would like the board to consider. Anchor the conversation around a few basic points that reflect your concerns, so further discussions can proceed from there.
For example, you might begin with regulatory compliance: the laws and regulations that apply to your organization, where cybersecurity must meet certain expectations or face dire consequences.
Walkthrough the types of data the organization has in its possession (personal data; intellectual property; data from business partners), which laws govern how the company handles that data, and what penalties might befall the business (or board directors personally) if the company doesn’t take cybersecurity seriously.
You could also review your own operational security concerns. Some examples include:
- Insufficient or inadequate staff
- Outdated technology
- Imprecise understanding of vendor risk
- Shifting business strategies that generate new risk
The common theme in these examples is that the CISO is talking about security capabilities versus risks arising from operations. Framing the security function that way — as something meant to be a strategic asset to the organization, and how well you are or aren’t achieving that goal at the moment — focuses the board’s mind on the large picture.
It’s also important to ask board directors what worries them since the answers will help the CISO understand the board’s priorities and perception of cybersecurity issues. For example, directors might misunderstand the organization’s vulnerabilities or key cybersecurity risk metrics. Then again, they might have precise ideas about what an organization’s tolerance for security risk should be, given other strategic objectives the business has to pursue.
Above all, this is an opportunity to build rapport and trust. Internal auditors and audit committee chairmen will always say they want a solid, trusting relationship, where each one knows he or she can call the other with urgent matters. CISOs should strive for that same level of trust, even before you have anything specific to discuss! The success of everything else you might report to the board flows from this early investment of your time.
Talk About the Processes of Security
Once that foundation is laid, CISOs can talk about more substantive issues. One logical place to start is the process of security at your organization — what the principal tasks are, and how they get done.
For example, a discussion of how your organization assesses and manages vendor risk is always worthwhile. Don’t necessarily talk about how many third parties have access to the company’s confidential data, or how that number changes from one quarter to the next. Rather, talk about how you determine that number, and how confident you are that it’s correct.
Likewise, you could give a report on how the company audits the security of its third parties, including which parts of those audits are automated and timely, and which aren’t. You could also talk about how the company complies with security audits from others — and again, explain how confident you are that the audits or attestations you provide are indeed accurate.
Two other processes critical to a successful security function are the monitoring, alerting, and escalation of incidents (how your team knows that something has gone amiss, and how quickly the correct people know); and breach response programs (what the security function does once a breach happens). Both issues are worthy of board reporting, simply to help the board understand how the security function works.
Third, talk about how the security team assesses emerging risks, and what those emerging risks might be. Sometimes those risks could be threat-driven, such as a new type of phishing attack or an increase in ransomware dogging your industry. Other times the threats might be company-driven, such as everyone working from home on their personal networks and devices.
After all that, you can present more data-driven material to the board: spikes in certain types of attacks, staffing or budget concerns, or key performance metrics you and the board had agreed to monitor.
The pitfall to avoid is reporting too much information, leaving the board overwhelmed or uncertain about where to focus. What boards need is assurance that the security function works — not a complete digest of what the security function is doing.
Reporting on Specific Incidents
Eventually your organization will suffer a security crisis. When that ordeal comes, the CISO must be able to report about that specific incident, too.
First, review how your team discovered the problem and triaged the severity of the threat. Did law enforcement or some other third party inform you of the breach? Was it discovered immediately through security defenses, or through a routine audit?
Second, present the potential damage: operating disruptions, regulatory infractions, financial losses, and harm to reputation. Even if you can’t put specific dollar amounts to each category, at least organize the potential damage by severity. For example, a ransomware attack might seem relatively small in financial costs (the average ransom paid in 2019 was $84,000), but it could cause severe disruption while critical data is locked, plus follow-on regulatory inquiries that won’t be cheap to answer.
Third, the CISO (and other executives as necessary, such as the general counsel) should review the crisis management plan. If you’ve already reviewed the organization’s breach response program generally (as discussed above), then this phase will be more about how you are putting that program into action for whatever specific incident has happened.
The board will want to know items such as:
- What is the timeline for recovery?
- What key milestones must be hit?
- When can the organization resume minimum viable operations, and then all other operations?
- Does the organization have specific deadlines for breach disclosure, either to regulators, harmed consumers, or business partners?
Always Remember: The Report Evolves
Cybersecurity threats change constantly. Either new threats emerge, new technologies pose new challenges, regulations change, or the company shifts to new operations.
No single, static report to the board can encompass all those things for long. A CISO’s report to the board therefore should always be at least partly a conversation, as much as it should be a structured report. The conversation should guide what that structure should be — not vice-versa. And the conversation should always drive toward one question.
“How well protected are we, and is that protection enough?”
Matt Kelly is the editor of Radical Compliance, a blog that follows corporate compliance and risk issues. He also speaks on compliance, governance, and risk topics frequently. Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.