JM Search recently hosted a cybersecurity-focused webinar entitled How CISOs and Boards Can Improve Cyber Governance and a key theme was the importance of alignment and communications between the two parties. The webinar featured some of the brightest minds in the field, including Aaron Hughes, CISO of Albertsons Companies; Leslie Lamb, Director, Global Risk Management at Flex; and Jody Westby, CEO of Global Cyber Risk, each of whom shared their experiences and best practices for how CISOs and Boards can work together for success.
Here are some of the key themes and takeaways that were discussed by the webinar panelists.
The Importance of Board Support
The advent of ransomware-as-a-service, increase of geopolitical tension, move of malware to mobile, and rise of other cyber threats reinforce the importance of robust enterprise information security governance programs. While CISOs drive process and develop these programs, senior executives and the Board of Directors are key contributors to the overarching vision. As a result, their buy-in is imperative to mitigate operational and material risks by building a cybersecurity mindset into the enterprise’s risk management framework.
Establishing a Governance Framework
Even with the diversity and complexity of cyber threats, some companies still manage and govern their risk in an ad-hoc manner. Due to the lack of close interaction with the Board and executive leadership teams, some CISOs are limited updates only two to four times a year (if that) and struggle to garner sufficient support to build a robust enterprise security and risk management program.
Boards and executives should weigh in on establishing governance standards and best practices with expert guidance. The CISO knows which governance cybersecurity framework aligns with organizational goals and industry security requirements, be it the National Institute of Standards and Technology (NIST), the International Organization for Standards (ISO), or another framework.
The C-Suite, who often are jack-of-all-trades, may understand some of the basics, but CISOs need to explain each framework, ongoing threat, and risk management strategy in terminology, pain points, and goals that resonate with this unique executive audience. If cyber governance conversations only happen during quarterly reports, then the business has been done a disservice.
Setting Clear Division of Roles and Responsibilities
Cybersecurity is truly an enterprise responsibility; therefore, activities need to be clearly divided between management and the board. CISOs must identify the key risks that could have a material impact on operations or the bottom line and then tie those risks to controls in a cybersecurity program. This ensures everyone has access to the latest, most accurate data on those particular risks, which the directors and officers can use to establish key information flows and reporting.
In turn, the Board must understand cybersecurity programs in order to provide guidance to management and establish expectations for cybersecurity governance. An informed Board can suggest pertinent requirements for cybersecurity programs and effectively gauge the company’s appetite for cyber risk, affirming top roles and responsibilities for the program as needed. Last but not least, Boards with a working knowledge of cybersecurity can approve program policies and procedures, as well as discuss recommendations for corrective action with CISOs.
Mutual Understanding is Key
Do Boards and CISOs share common ground on the key risks, coverage strategies, and financial impact related to cyber threats? Both parties need to come together and align their understanding of the business through a cyber governance lens.
Though it’s no small feat, the comprehensive executive team can start by evaluating the company’s mission, culture, business processes, system architecture, information security program, and privacy program within a cyber risk management framework. If done correctly, the C-Suite can reveal any Achilles heel created by these factors and then determine which key information flows imperil your operations.
After identifying risk factors, the Board and CISO should connect the controls of the cybersecurity program and the relevant business unit metrics of those factors to measure the effectiveness of your adjustments. Additionally, organizations can build a customized insurance program, rather than an off-the-shelf product that fails against novel challenges, to ensure optimal protection. With that clear understanding and shared commitment, your executive team can better support business objectives while mitigating the worst threats.
What Success Looks Like
There is no endgame in security. Rather, it’s more like a long journey during which your cybersecurity program continues to mature. The good news is that in the last five to ten years, cyber risks have become a much more common topic of conversation between Boards and CISOs, which indicates that organizations are beginning to establish a more holistic understanding of these threats. Similarly, the timing of these conversations has become condensed—what was once an occurrence every 12 to 16 weeks now happens as frequently as once a month in more cybersecurity aware, forward leaning organizations. This could be considered an indicator that Boards are getting more familiar with the subject matter and its seriousness.
One thing is for certain: companies that fail at cyber governance are stuck in a state of non-transparency, which hinders any ability to plan for threats. By cultivating open lines of communication that Boards and CISOs can both understand and contribute to, even the worst of worst-case scenarios can be met with a robust, pragmatic response.
Interested in learning more about how CISOs are effectively partnering with Boards to improve cyber governance? Reach out to the team at JM Search.