[BreachExchange] CISOs Finally Have The Board's Attention -- Now What?

[Destry Winant]

https://www.forbes.com/sites/forbestechcouncil/2020/05/15/cisos-finally-have-the-boards-attention-now-what/#814d56415c8c

It wasn’t long ago that enterprise CISOs were trying to gain the
attention of the board of directors. Before the massive data breach at
Equifax, the leak involving the personally-identifiable information of
more than 500 million Facebook users, or any number of other
high-profile security incidents that have dominated headlines the past
couple of years, issues concerning security were typically included in
the broad category of risk, which often fell under the purview of the
COO or CFO.

But as Bob Dylan crooned, “The times, they are a-changin.”

Nowadays, anxious corporate board members are asking, “Can something
like that happen to us?” and taking steps to ensure security is part
of every board conversation. However, now that the CISO is being
invited to sit at the table, many questions remain: How should they
best communicate technical security issues to a nontechnical board?
What best practices might they apply from other departments that
regularly participate in board meetings? COVID-19 has only amped up
this need as new realities — such as an exponential increase in remote
workers, moves by many businesses to rush new apps and features into
production, and hacker activity linked to the pandemic — raise new
cybersecurity challenges.

What does the CISO need to do to make the most of the opportunity in
front of them?

Security Is A Business Issue

Whether it’s a data breach that exposes the personal information of
your customers, penalties imposed for noncompliance with data privacy
regulations, or a major business disruption caused by a ransomware
attack, the consequences of poor security oversight are broad,
multifaceted and unpredictable.

Businessweek recently published a feature story about a hacker hired
by the CEO of Cellcom Liberia, Liberia’s second-largest telecom
provider, to disrupt the service of its largest market competitor,
Lonestar. When Cellcom was later acquired by French wireless carrier
Orange SA, Orange was determined to have "vicarious liability" due to
the actions previously taken by Cellcom “even if it didn’t know what
the conspirators were up to, because of laws making companies
responsible for the conduct of employees. Orange said in a statement
that it knew nothing about [the hacker’s] activities until it received
the legal complaint from Lonestar in 2018.”


Using Data, Science And The Media To Fight A Pandemic

This is one of many recent examples of a global conglomerate being
blindsided by security risks, with executives and its board of
directors having little to no visibility and then being forced to deal
with the fallout.

Building A Blueprint For CISO Boardroom Success

Now that the CISO has secured a seat at the board table, what should
they do to make the most of this opportunity? Here’s what my
experience as a cybersecurity executive and independent board member
has taught me:

• Communicate in terms the board understands. Corporate boards speak
in the language of business performance, and consequently, the
successful CISO must adapt their lexicon to effectively communicate.
For instance, use risk benchmarks in comparison to industry peers
rather than describing the specific security technologies in place.
Otherwise, CISOs run the risk of being viewed merely as technologists
rather than as strategic business enablers.

• Hire a third-party security auditor. Just as a board relies on
third-party auditors to validate financial results, consider hiring an
independent security auditor to identify gaps and demonstrate that the
appropriate technologies, processes and controls are in place.

• Don’t fight legislation — work to enhance it. As we’ve seen in the
wake of Sarbanes-Oxley 20 years ago or with new legislation like the
California Consumer Privacy Act (CCPA) and the EU’s General Data
Privacy Regulation (GDPR), government will continue to enact
legislation when public opinion reaches a boiling point. While these
regulations can feel like an unnecessary compliance burden, they also
provide an opportunity to better understand and evaluate business
risks.

• Define and standardize security metrics. Every board relies on
operational and performance metrics to measure their effectiveness and
address deficiencies across the business. While defining metrics for
security can be challenging given the unique risks present in each
business, it’s worth investing the time. The NIST Cybersecurity
Framework provides a good starting point for identifying and
prioritizing the key categories and building a cybersecurity reporting
scorecard.

No Standardized Security Playbook

The audit committee, which is responsible for providing oversight of
financial reporting and disclosure, is a standardized function of
every publicly-traded company’s board of directors. The rules and
roles are well established and clearly understood. Board members focus
their attention on the business and performance issues, while the
audit committee identifies and reports on any "material risks" — be
they environmental, social or geopolitical — that might adversely
impact the business.

All audit committees operate in pretty much the same way. They rely on
independent third-party auditors and generally accepted accounting
principles (GAAP) to review financial statements and monitor internal
controls. Whether you’re a consumer products manufacturer or a global
technology service provider, the audit committee’s playbook is more or
less the same. In contrast, the domain of cybersecurity is the Wild
West: The threat landscape changes on a daily basis, and systems are
constantly in flux. Plus, every company assesses risk in different
ways, making it especially challenging to standardize reporting and
measure operational effectiveness.

Just because there’s no standardized security playbook the CISO can
employ as a reference framework for communicating with the board
doesn’t mean there aren’t practical steps to take in the immediate
term. Whether you work to build consensus about the metrics to be used
to report on security issues or collaborate with a third-party
security auditor to provide objective feedback on current processes
and controls, proactively engaging in these types initiatives will go
a long way in demonstrating commitment.

While it’s heartening to see the CISO becoming a fixture in the
boardroom conversation, their long-term success will require a
combination of both the strong technical skills that got them there in
the first place and solid business and communications skills to
effectively translate the nuances of security in terms the board will
understand.