Get your reporting in line with board thinking – that was the overall message for CISOs from the roundtable discussion at the recent 2020 FAIR Conference, “Helping the Board Exercise Proper Cyber Risk Oversight”. The session was a concentrated lesson in evolving from security think to board think, moderated by Larry Clinton, President of the Internet Security Alliance, and collaborator with the National Association of Corporate Directors on the NACD Handbook on Cyber Risk Oversight.
- Daniel Dobrygowski, Head of Governance & Policy, Cybersecurity Legal Counsel, World Economic Forum
- Shelley Leibowitz, Board Member E*TRADE, MassMutual
- Lou DeSorbo, Chief Security Risk Officer, Centene
Some of the key points on cyber risk reporting for the board:
Start with the NACD Handbook on Cyber Risk Oversight
Board members and CISOs should get on the same page by reading the Handbook, including principles such as:
- Cybersecurity is not an IT issue. It’s an enterprise-wide risk management issue,” as Clinton said.
- Board members should expect management to present them with a framework or standard for dealing with cyber risk – and provide sophisticated risk analysis. The FAIR model supplies both.
Express cyber risk in economic terms
No surprise to the FAIR community but a good reminder that the board focusses on the bottom line and strategic opportunities, and “that’s where economic value comes in,” said Dobrygowski.” “A cyber value at risk is a crucial indicator [like FAIR] is something that your boards will relate to,” said Leibowitz.
A CISO is likely to report to a committee of the board every quarter for half an hour and to the full board once or twice a year, said Leibowitz. “That’s not a heckuva lot of time. So, it’s really important to have an agreed upon set of metrics, risk appetites and tolerances, and as long as everything is within those agreed upon bands then there’s not much to discuss.” That frees a CISO to focus on “What are the decision points? What information can you give such that you come out with guidance and actionable insights?”
Switch focus from cyber risk to business resiliency
“Security officers tend to focus on confidentiality and integrity, and we forget about availability,” said DeSorbo. “We see a move from cyber risk to enterprise risk and from enterprise risk to business resiliency,” in terms of what the board wants to hear about. “That business resiliency is provided through, many times, cyber resilience…That’s how we try to talk about cyber and how it enables the business.”
Position security as an enabler of corporate strategy
“We have to think about security as an enabler…rather than security as a hindrance,” said Leibowitz and to make that happen “security has to be embedded in the front end of everything you do and you have to think of it as a core part of your strategy or it will be the business ploughing ahead and security saying ‘no’ and that’s a losing proposition.” DeSorbo recommends you “think about security vulnerabilities as defects in your build, and security as a function and a form of quality…It just becomes one of the many things you need to care for as you build innovative solutions that support strategic initiatives.”
Get more insights – watch the video of the session “Helping the Board Exercise Proper Cyber Risk Oversight” now.