Over the past few weeks I’ve had the rare opportunity to meet with board members and discuss their views on cyber security. Many of the questions I posed were sourced from my LinkedIn community, where 25-plus people suggested 50-plus unique questions (eek!).
Even in our short time together, I was left with a much deeper understanding and empathy for board members’ positions. I was also left with an appreciation that we need to have this constructive dialogue with board members and listen to their perspective and expectations more often.
We discussed their recent interest in security, and they sited the following:
Increased volume of activities (Russian interference in US election, phishing, ransomware etc)
The impact of that activity on companies’ strategies (eg Equifax, Ashley Madison, Yahoo)
The catch up of companies who are not in FS (noting that banks are well versed as threats started with internet banking)
Third party risk is becoming a clear issue to them
Board members’ awareness and understanding of security is not perfect – but improving.
This really made an impression on me. The board members admitted to having an evolving understanding of cyber security. Some of the things that have helped raise awareness and understanding include live exercises, breaches they’ve experienced, the AICD (Australian institute of company directors) cyber security courses and consultants presenting to boards on the topic. They expressed their desire for more learning and education.
The good news? A clear set of common trends emerged from our discussions.
Boards’ priority of Cyber is top of mind. Cyber risk was readily accepted as a top priority for boards. One board member went as far as to suggest it is a big existential threat. And another said if cyber is not on the corporate risk register somewhere at the top, someone is not doing their job. I can’t help but ponder that at times, mechanical bureaucracy in many organisations means that it’s still NOT on the risk register.
Boards want to hear from and have a trusted dialogue with their CISOs. To cut a long story short here, they want the CISO’s to be a translator and a communicator. Language, jargon and not having a common lexicon about cyber security were mentioned as contributing to the problem and CISOs need to be part of the solution. I also learnt that board members want to see their CISO who are the author of the report, not just the CIO or someone presenting on behalf of the CISO. They want a dialogue.
Communication of cyber security to boards has to be transparent and in a risk language. Risk, risk, risk…. The number of times the topic of putting security in business risk context came up was notable. Boards understand risk and this is what they do on a day to day basis. They want us to fit into existing risk frameworks. They want to hear the “exceptions” (eg talk about the 5% of data which is not protected not the 95% which is). And they need our honesty and to talk to them about what’s broken (of course for those of us living this day to day, it isn’t as simple as it sounds – mechanical bureaucracy sometimes pushes CISOs to water the messages)
There was a wish for a more normalized conversation in 5 years time. At the security event, one of the prominent board members noted that she hasn’t seen a room so lacking in diversity since her days in FS in 1998. She promptly wished that in 5 years’ time, we would see more diversity in the profession. Additionally, everyone agreed that in 5 years’ time they would hope that this conversation is a bit easier more normalized for all involved – boards and CISOs alike. I will keep this conversation going through my research and writing.
I welcome your thoughts on the above. I am especially thinking of how we can keep this conversation between security and boards alive.
(This post originally appeared on the Forrester Research blog, and can be viewed here).