Cybersecurity is a board level issue: 3 CISOs tell why
As a venture capital investor who was previously a Chief Information Security Officer, I have noticed an interesting phenomenon: although cybersecurity makes the news often and is top of mind for consumers and business customers, it doesn’t always get the attention it deserves by the board of directors.
Misconceptions and knowledge gaps increase this distance between security and oversight. How can boards dive deeper into the world of security and overcome the entry barriers to collaboration? Seeking advice, I reached out to prominent security leaders: Joel Fulton, the former CISO of Splunk; Jeff Trudeau, the CSO of Credit Karma; and Yassir Abousselham, the former CSO of Okta and the newly appointed CISO of Splunk. Here are their tips for board members.
Recognize security as both a business risk and an opportunity
First and foremost, it is imperative for the board to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. Major security events can have a significant impact on revenue, brand, and even lead to catastrophic results.
Abousselham elaborates: “In an era where organizations are handling large amounts of sensitive information and governments are actively pushing more stringent privacy laws, data breaches have serious ramifications for the organization, its customers, and partners.”
Bridge the technical gaps
Contrary to popular belief, security leaders believe that domain expertise is not a prerequisite to making smart security decisions. Instead of focusing on every technical bit and byte, Trudeau suggests the conversation should concentrate on understanding the risks and ensuring they are properly addressed.
Yet, even on a macro level, security concepts might be difficult to fully understand, so a short and dedicated security training for the board can come in handy. It’s also key to remember that it’s not only the board members who may feel like fish out of water. The CISO, too, can get intimidated and might over-rely on the comfort and familiarity of technical details.
To mitigate the differences, Abousselham offers to foster a synergic discussion by framing risks and mitigations in business terms. Fulton proposes focusing on the Venn overlap of the security program’s weaknesses and the board’s strengths (like governance and strategy). This enables the board to interact with security as they do with other domains, empowering the CISO with wise counsel, and letting both view clearly the current situation and the paths to success.
Ask the right questions
The board should operate on the notion that absolute security does not exist. The best way to assess your security program is often by focusing on and drilling down into the economic trade-offs.
Fulton’s suggested economic questions include: Are you applying your scarce resources, people, and time to the correct problems? Next, drill deep to understand the security leader’s rationale and thinking: How do you know you’re right? What evidence would indicate you’re wrong? and How can we find that evidence?
The board’s questions should also serve as a vehicle for both the CISO and Directors to think more strategically about security. As the technological environment has evolved tremendously in recent years, it is important to step outside the traditional realm of compliance and assess the potential catastrophic consequences of security deficiencies. For example, Trudeau proposes including questions like: Could what happened at this other company happen to us? What would be the damages from such threat materializing in our company?
Evaluate the effectiveness of the security program
The group offers structured approaches to synthetizing information and reaching conclusions about the security program. Abousselham recommends a top-down method: “Confirm that the CISO has a good grasp of security and compliance risks. Then validate that the CISO’s vision and strategies support the direction of the company and desired risk posture. Further, get comfortable with the CISO’s ability to execute, including the adequacy of the organizational structure, technical capabilities, funding, and ability to hire and retain talent. Lastly, because incidents are bound to happen, evaluate the ability to detect and respond to security compromises”.
Fulton advocates that the board seek to help the CISO with possible blind spots, looking to validate the security strategy and initiatives with questions like: Where are you intentionally reducing focus? Why is that decision the best decision in this company, environment, and vertical? In your areas of highest investment, what does “secure enough” look like?
Certainly, no evaluation will be complete without metrics that measure the progress and maturity of the security program. Fulton suggest boards inquire on how the program is measured and how the CISO knows the measures are valid and reliable. Abousselham offers focusing on objective risk measures with metrics to show progress against a baseline such as NIST CSF; and adopting no more than ten key metrics that summarize the state of the security program and its business influence.
When measuring the security program’s effectiveness, it is crucial to consider that it is tied to the CISO’s ability to influence the organization. The security leader’s ability to execute is very much dependent on the reporting structure.
According to Trudeau, reporting to the wrong executive could pose challenges for the security program and hinder its effectiveness. In addition, it is important to validate the CISO’s cross-functional operation. Most security practices and controls are implemented, operated, and maintained by employees without “security” in their title. Consequently, a CISO must be respected and influential outside her own organization.
Communicate in the right format and cadence
A good rule of thumb is for boards to meet the CISO at least once a year. Abousselham explains that some companies adopt a cadence of two updates per year, to the board and the audit committee. Boards might also ask the CISO for more frequent or ad hoc updates if the perceived risk is higher than the acceptable threshold.
Additionally, informal and off-schedule meetings improve relationships and information sharing simply by the reduction in formality. Fulton believes these keep strategy aligned and could be invaluable during actual or tabletop incident walk-throughs. However, boards should be careful to not overdo it as too frequent meetings can be inefficient, Trudeau warns.
With security becoming increasingly important, some organizations have created security committees to ensure independent oversight of security risk. The security leaders don’t believe it’s necessary in most cases, since it might be distracting. If a company is forming a security committee, Abousselham explains that committee members should be independent and with proper domain expertise to formulate and report an accurate opinion of the security risk posture to the board.
Fostering collaboration between the board and the CISO benefits both groups and the company as a whole. However, it’s not always easy and growing pains are to be expected. While everyone may share the same objective of seeing the company succeed, they often differ in their agendas and approaches.
The good news is that asking the right questions, conquering communication gaps, measuring progress and treating security as a business risk will set the board up for success in improving the company’s security standing.