After so many high-profile breaches and other large-scale loss events, cybersecurity risk has been elevated to a board level concern – and infosec and risk professionals need to elevate their point of view to board level to be truly successful.
The 2020 FAIR Conference has lined up an expert panel on board communication, including Shelley Leibowitz, one of the few board members for a major (non-technology) corporation who came up through IT.
Shelley was a financial industry CIO (including Morgan Stanley and the World Bank, where she also ran cybersecurity), is now a board member for MassMutual and E*TRADE and consults on digital transformation and strategic cyber risk management through her firm, SL Advisory.
The FAIRCON session: Roundtable - Helping the Board Exercise Proper Cyber Risk Oversight, Tuesday, October 6, 1:10 – 1:55 PM ET. The FAIR Conference is a virtual event this year, open for free to FAIR Institute members. Join the Institute now (membership is free to qualified professionals) then register for the conference.
As preview of the roundtable, here’s a conversation with Shelley…
Q: What’s been the change in cybersecurity since you’ve been observing it?
A: The key change is it’s become headline news and moved out of the technology realm. It is now squarely in the center of business…For instance, earlier this year the bipartisan Solarium Commission proposed adding cybersecurity to Sarbanes-Oxley disclosure requirements.
Note: Congressman Mike Gallagher, Solarium Commission Co-Chair, will also speak at FAIRCON 2020, on a roundtable on defending the US in cyberspace, Tuesday, October 6, 12:30-1:00.
Q: What’s the level of education among board members regarding cybersecurity and risk?
A: In the last 5 years, it has developed dramatically. NACD [National Association of Corporate Directors] which is the standard bearer for best practices in the boardroom, has a lot of data on this. Their director cybersecurity handbook [which cites FAIR] goes into great depth and it’s really fabulous.
I think the level of knowledge and sophistication, certainly among the boards of the largest companies is pretty good. And I would argue that it’s not just security, it’s also privacy and social media and corporate voice. So, the whole topic of information and how do you become and remain a trusted provider has certainly become boardroom issues.
Q: How should cybersecurity be presented to boards? Should CISO’s do the presentation?
A: I tend to be a pragmatist and not an ideologue about any of these things. I don’t actually buy the idea that the higher the CISO reports in the organization, the better… I think domain expertise matters and any organization should be optimized in terms of domain expertise. Information security broadly is both an operational issue and a risk issue. There are many ways to structure it organizationally to optimize the effectiveness of the role.
Q: Should cybersecurity be reported in the context of enterprise risk management, as opposed to a technical discipline?
A: It’s going to be a yes to both. I think the primary issue is in enterprise risk management. But you want to be careful that, as you think about it as a risk management issue, you don’t divorce it from the day to day customer development, customer service operations. It is both offense and defense. The earlier and more integrated security is – DevSecOps – the better, and yet you also want the enterprise risk management overlay. So, I’m going to give a big yes to both.
Q: What do you think is the appropriate format to present the details that boards want to see coming up from the risk or security side of the house?
The 2020 FAIR Conference (FAIRCON2020), the premiere global risk management conference, will be held digitally on October 6 & 7 (Tues. and Wed.). FAIRCON2020 will provide ground-breaking keynote addresses, engaging C-suite panels, and expert case study sessions through a cutting edge virtual event platform. See the agenda. REGISTER NOW!
A: It’s what we all talk about from an enterprise risk management perspective. What are the key things that we need to protect? What are the key risks to those things? How well is our mitigation working, what are the feedback loops, and how do we measure and quantify all that?
The traditional heat maps are helpful but sorely lacking. If you can’t quantify it, then it all becomes very fuzzy and very subjective. So, I think you need both qualitative and quantitative measures. And you have to decide on a nomenclature and a set of metrics. And one of the things that is important is to have those be persistent.
Also, I think you’ve got to go for materiality -- you’ve got to summarize to what’s important and what’s material. You look at key risk indicators and key performance indicators, look at your third and fourth parties, your supply chain, and you must look at external measures, whether it’s audit or security scorecards.
Then you have to figure out the quantitative measures and they may be highly imperfect, but as long as you understand the assumptions and the models, you look at those as well and try to create a picture from all of those data points.
2019 FAIR Conference Highlight: Watch the video of the session Pen Testing Your Board Pitch: An Interactive Exercise with board members James Lam and Chris Inglis.
Q: What’s the role of cybersecurity in digital transformation?
A: All businesses going forward will be omni-channel. It’s about figuring out your own business model and how you best serve your customers.
There’s a great Harvard Business Review article called AI for the Real World. It talks about digital transformation in three different buckets: customer intimacy [what they want, based on data you collect], operational effectiveness, and customer engagement… Information security can’t be after the fact. It’s got to be part of the early on thinking and development of all those avenues…Information security is an enablement issue and it’s a policy issue. How do we enable our business and protect our business and what are the rules of the road?
Q: What role do you see the FAIR model and the FAIR movement playing?
A: For a long time, information security in particular struggled with quantitative measures, and struggled with thinking about a risk profile. It reminds me of the early days on Wall Street and financial services [struggling with] value at risk (VaR). That’s kind of the way I think about [FAIR] – it’s like a value at risk model.
I think it’s incredibly helpful…Particularly at the most senior levels and certainly from where I sit at the board level, it gives you some grounding in terms of understanding what really is at risk. The more time that goes on , the more data that’s available, the better the models become and the more reliable those quantitative measures become. I really think we’ve turned a corner in terms of the importance and validity of those measures.