Balancing cybersecurity with business priorities: Advice for Boards

In today’s rapidly evolving technological landscape, it’s more important than ever for Boards and executives to stay informed about the latest advancements and potential risks in technology and digital capability.

In this Help Net Security interview, Alicja Cade, Director, Financial Services, Office of the CISO, Google Cloud, offers insights on how asking the right questions can help improve cyber performance and readiness, advance responsible AI practices, and balance the need for cybersecurity with other business priorities. Cade shares valuable advice for leaders who want to ensure their organizations are equipped to navigate the complex digital landscape of the modern world.

Organizations face an evolving cyber threat landscape these days. Can you provide examples of probing questions that Boards, CEOs, and other executives should ask about technology and digital capability and how these questions can help improve cyber performance and readiness?

The threat landscape continues to remain dynamic and complex, and we expect these trends to continue in 2023 and beyond. In most cases, cybersecurity leaders understand the need for better intelligence on cybersecurity threats, but many of them often make decisions without fully understanding who is attacking their organization and why.

Boards can drive to bridge these intelligence gaps and ensure this information is playing a leading role in risk management decisions. To help encourage this connection, Boards should ask the CISO three key questions at least on a quarterly basis:

• How good are we at cybersecurity? Boards should learn more about the people and expertise on the cybersecurity team, and their experiences. This is important because Boards can’t rely solely on compliance dashboards and cybersecurity controls to answer this question. Boards need to work to understand more about their team’s practical capacity to respond to events. Of course, dashboards can be a great source of information, but do they simply show what organizations can measure, rather than what they should be measuring?
• How resilient are we? Boards should ask the CISO, technology leadership: CIO, CTO and the business leaders about how prepared your organization is to keep the business running through an event like a ransomware attack. Are we testing and validating that designs provide the levels of failover required under a range of scenarios? Can we operate our key business services in a degraded state?
• What is our risk? At a minimum, Boards should ensure that cybersecurity risk assessment addresses five key areas: 1) an assessment of current threat exposure to your organization; 2) an explanation of what the cybersecurity leadership is doing to mitigate against those threats; 3) examples of how the organization is testing whether the controls are effective; 4) an assessment of the consequences if those threats materialize as incidents: are we ready to respond and recover; and 5) an assessment of risks that you aren’t going to mitigate, but will otherwise accept.

Addressing cyber risk is a challenge for many companies, so it is increasingly important for Board members to conduct relevant oversight and help guide risk management priorities. You can read more about these considerations in Google Cloud’s inaugural Perspectives on Security for the Board report.

What top-of-mind cybersecurity challenges are organizations facing today, and how can Boards take a more proactive role in advancing responsible AI practices?

One of the biggest challenges for organizations today is navigating how to tap into the power of AI. We’re only just beginning to see the potential for AI to enable organizations to improve, scale, and accelerate the decision-making process across most business functions.

As Boards consider how to best support their organizations on this journey, we encourage them to recognize the beneficial and transformational potential of AI. At Google, we were one of the first to introduce and advance responsible AI practices, and these principles serve as an ongoing commitment to our customers worldwide who rely on our products to build and grow their businesses safely.

To maximize the benefits of AI technologies and minimize risks, we recommend that Boards work with the CISO to take a three-pronged approach to secure, scale, and evolve – deploy secure AI systems, leverage the power of AI to achieve better cybersecurity outcomes at scale, and stay informed on developments in this space to anticipate threats.

How do you suggest Boards balance the need for cybersecurity with other business priorities, such as innovation and growth?

Boards continue to see cybersecurity as a siloed priority. Traditionally, we were seeing a growing trend around investing in cybersecurity, but not in modernizing the foundational technology behind it.

To better balance the scale, Boards must encourage deeper collaboration between the C-Suite – especially the Chief Information Security Officer, Chief Information Officer, Chief Technology Officer, and Chief Compliance Officer as well as business leaders – to build better security into all products and services versus security being an add-on.

What common misconceptions may Boards have about cybersecurity, and how can they be addressed?

One of the biggest misbeliefs is that security of a company is the sole responsibility of the CISO and their team. Cybersecurity is a team sport.

The interactions on the Board around the security of an organization should not just come from a CISO, and Boards should expect all lines of business – the CIO, CTO, CRO, and other leaders – to talk about cyber risk as part of their strategies. When discussing a launch or new strategy, it is essential that Boards ask all business and technology executives about the broader set of risks, including security, that should be considered.

How can Boards ensure they are adequately prepared for potential regulatory obligations related to cybersecurity?

Governments globally are increasingly implementing regulatory measures to raise compulsory cybersecurity baseline standards, including requirements to report cyber incidents to the relevant government authorities. As regulatory risk increases at federal and state levels, Boards’ understanding of cybersecurity is more critical than ever. Boards will play an important role in how organizations respond to these trends and should prepare now for this future state.

We encourage Boards to adopt the following three principles for effective cyber risk oversight:

• Get educated about key topics to ensure that cyber and broader technology risk is embedded in operational risk and strategic discussions and organizational decisions.
• Be engaged with the CISO, other C-Suite leaders and key business stakeholders to build better relationships, and understand critical gaps and resource needs while ensuring this risk is treated as a priority for all executives – not just the cybersecurity team.
• Stay informed about ongoing reporting activities, ask questions, and work with the CISO and other leaders to understand cyber risk metrics.