What’s the outlook for board support for cyber risk quantification programs? Still early stages but more opportunity than ever. That was the consensus of a panel of senior cybersecurity executives and an experienced board member and board adviser, led by Larry Clinton from the Internet Security Alliance, the co-author of the National Association of Directors Handbook on Cyber Risk Oversight.
Replay the webinar (a free FAIR Institute membership required. Join now!)
- Moderator Larry Clinton, President of the Internet Security Alliance (ISA)
- Elias Oxendine IV, CISO, Yum Brands
- Kevin McCarty, CISO, Cigna US Healthcare
- Kris Lovejoy, Board Member, Dominion Energy and Global Security and Resilience Practice Leader, Kyndryl
- David Burg, Americas Cybersecurity Leader, EY
Here are some of the key points to emerge from the discussion:
Although there’s been talk of increasing the numbers of board members versed in cyber risk, still relatively few directors have that expertise. Board reporting about cybersecurity as it’s practiced is still mostly compliance focused.
--Elias Oxendine: “Given the prevalence of ransomware, from the board level that leads to getting into more risk-based conversations than two years ago. But traditionally and even today, we report out on our program using the NIST CSF framework. NIST is a program maturity assessment, not a risk assessment. We are looking to FAIR to help with this.”
However, Board members are aware of cybersecurity issues. If anything, they are suffering from cyber-reporting fatigue, and looking to understand cyber in business terms.
--David Burg. “There’s not a doubt that cyber is a top business issue and that nearly all board members understand that. The challenge that we have today is being able to take a lot of technical data and put it into business context…Many boards are extremely fatigued of this topic. They know it’s important, they don’t understand it…One of reasons this conference is so important has a lot to do with converting technical information into a business story that can be told very clearly at a board level."
The SEC and other regulators are forcing the conversation toward thinking in terms of CRQ programs.
--Kris Lovejoy: “The way we [board members] interpret the new SEC guidance is that we have to ensure that we have an effective cyber risk management program in place that enables us to manage that risk effectively. Our focus is not necessarily on the material incident definition and quantification, it’s the cyber risk management program implementation and we’re looking at the material events as more of the way that you know whether that program has failed.”
“Digital transformation” is an opportunity for CISOs who quantify risk.
--Kris Lovejoy: “What board members care about is digital disruption these days…One of the things that we don’t exercise enough as practitioners is talking about cyber risk in the context of a digital transformation and do cyber risk quantification within that context as well. What I see security people doing really well is bringing legacy technology constructs to the board. If you say 30-40% of our infrastructure is legacy. Of this 30-40%, this 10% supports business critical infrastructure, this is a risk for us because we cannot build a space shuttle on top of a 1975 Pinto. The board gets that and that gives you license to become a business leader.”
Get more insights from the FAIR Conference board panel. Watch the video now:
A free FAIR Institute membership is required. Join now!