More and more boards are scrutinizing the impact of security and privacy issues on their businesses. However, taken action to being CISOs on to the board has been way too slow. The main challenge is that they don’t grasp that information security issues are not simply IT issues. For clarity, take a look at my article on ‘8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable‘.
The urgency now being seen from many boards is more so a knee-jerk response to government pressures and increased regulations in lieu of several high profile breaches that have shaken public trust. The former head of the Securities and Exchange Commission (SEC) Luis Agulilar made the following comment back in 2014:
“Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.” He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”
Regulators across the globe are making it clear that organizations must have robust privacy and security controls in place to manage the risks associated with technology-enabled commerce. As such, it is critically important that boards regardless of their companies’ industries have a security expert among them to expertly lead the organization in such matters. It is clear that government regulators will hold the Board of Directors accountable and liable for not discharging their duty to prevent harm to the corporation, including damage occurring from cyber attacks and data breaches. Individual directors themselves can be subject to derivative shareholder lawsuits and class-action suits from the company’s banks, business partners, vendors, customers and their own employees.
That being said, not many CISOs have the knowledge and experience; the executive capabilities required to translate into meaningful business terms the impact a cyber incident has on the organization and the activities undertaken to mitigate such events. Many members of the board are not engineers or IT professionals, let alone possess an understanding of technology governance, risk and control. The average board is comprised of approximately nine individuals but some can be as many as 30 persons, so it is imperative that the CISO familiarize himself with his audience to effectively deliver a solid presentation that resonates with them. It is helpful to go into the details of presentations one-to-one with individual board members, as many of them love going into depth and that is an ideal approach to influence the board on an individual basis. For actual board meetings, there is a firm agenda and time limitations that can lessen the strength and impact of CISO presentations.
One of the most effective presentations is the use of risk metrics as most board members in a formal session do not want to be inundated with techno-jargon (do this and watch their eyes glaze over). They want a helicopter perspective of the issues and with clear impact on how the organization as a whole is affected. Board members want visual quantification of risks with the most relevant data in simple language. Using benchmarks designating the past, present and future allows the audience to clearly see how the situation has changed, see the progress and efforts necessary to achieve a benchmark goal.
It is an uphill journey for a CISO to acquire a seat on the board. It is not for the faint-hearted as one is burdened with enormous responsibilities and the board members are the apex of the organization tasked with guiding its ultimate success or failure. Consequently, board membership is a delicate process as much is at stake in terms of the organization remaining a going concern.
CISOs are a necessity to have on the board but they must be savvy, experienced and strategic-minded executive to serve in that capacity. They must have the vision, thought leadership, relationship building skills, and grit to demonstrate value to the organization in this role.