Veteran cyber experts Devan Sandrasagaram and Samantha Finan offer their exclusive tips on how to speak ‘board’
So, what does your management team want to know about its IT security risk posture? Perhaps a better question to ask is: what do they ‘need to know’ given the plethora of legal, regulatory, and mandatory requirements relating to global IT security today?
For the most part, boards are required to play an active role in ensuring the effective management of IT security risk.
So, what do CISOs need to relay to the board?
Threats and risks: Capturing a view of the current (internal and external) threat outlook and associated risks that the company faces is a good starting point. This view can then be mapped to how the organisation is handling these dynamic, evolving threats and resulting risks.
Analysing the risk posture will identify whether the quantum of risk being carried is acceptable. If a risk is being held too long, the board can push for faster risk reduction.
Cultural matters: IT security behaviours are fundamental to an organisation’s culture. The health of your security culture can be measured through multiple channels, including mandatory e-learning programmes, testing phishing click-through rates, and governing the delivery of IT security programmes and key deliverables.
Keeping regulators onside: For regulated organisations, meeting key regulatory obligations and addressing any new or overdue significant regulatory findings on time is critical.
Metrics: To answer the board’s question of “are we secure?” curated metrics with appropriate board-approved appetite thresholds need to be in place to communicate whether the organisation is within appetite, outside tolerance, or outside appetite.
It is advisable for metrics to follow a common structure such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework – ‘Identify, Protect, Detect, Respond and Recover’ to ensure adequate coverage.
Under “Identify”, some areas of concerns would be knowing which third, fourth and fifth parties are touching the organisation’s most critical data; understanding if the organisation’s systems have adequate controls and consequently a sound security posture; and capturing whether system changes are done securely without introducing vulnerabilities. Looking forward, boards should be made aware of key emerging risks and how the organisation is intending to mitigate them.
“Protect” looks at whether an organisation is adequately safeguarding its assets. This takes the form of scanning and fixing critical security vulnerabilities; ensuring access management controls are in place for identified systems; segmenting networks and providing multi-factor authentication and having data leakage controls for critical systems.
“Detect” and “Respond” aims to ensure the organisation has robust and timely detection capabilities and can respond to the cyber intrusions and incidents at speed and with minimal business disruption.
“Recovery” covers back-ups and recovery plans, which need to be exercised to increase the firm’s resiliency to attacks.
Risk complexity: Complexity is introduced when risks intersect. For example, fraud and cyber risks in financial institutions often cross over. These potential gaps and complexities need to be managed so the board has a full view of the risk the organisation is carrying.
Board level metrics can be supported by more granular and detailed business level metrics. This way the board focuses on the top concerns in line with its role in the organisation as stewardship on behalf of the company’s investors, whilst the management are involved in the strategy and delivery of business objectives, including cyber risk.
Return on cyber investments: Ultimately, organisations need to achieve the right return on cybersecurity investments. Risk needs to reduce in line with spend to justify cybersecurity costs. Boards will question spend. As cybersecurity professionals, we need to be able to quantify risk and the spend we make in response, while being an active partner to the organisation so it can achieve its business objectives and strategies.
About the authors:
- Devan Sandrasagaram is a highly experienced cybersecurity and data leader, who has been involved in setting board risk strategy and transforming business culture across the globe.
- Samantha Finan is the former global head information and cyber security (ICS), policy, standards and reporting at Standard Chartered bank.