Cyber Security and your Board

Jamie Cutler, CIO, QEP Resources

Jamie Cutler, CIO, QEP ResourcesJamie Cutler, CIO, QEP Resources

Boards of Directors are worried. In the last year the landscape for technology in a board meeting has gone from discussions around system implementations and data management to preventing the potential loss of hundreds of millions of dollars in a cyber-breach. Now CEOs, CIOs and Boards are held accountable when data breaches occur. Following the Target breach in 2014, a proxy advisor recommended the replacement of nearly seven out of 10 board members and while not leading to an ouster of the Target board, it illuminated the pressure boards are now under to be proactive in the protection of customer and employee data.

"The SVE solution's unique compatibility with Citrix, VMWare, and other hypervisor solutions help the clients deploy the solution in a streamlined and centralized manner"

What does that mean for the CEO, CIO, and CISO in a public company? Boards are asking questions about the state of cyber security for the first time ever and these positions need to be prepared to discuss not only the current state of their companies’ cyber security, but more importantly the overall risk profile of cyber security within the company. Few executives are equipped to lead a discussion around risk in the context of a cyber-breach today which creates a gap as Public boards want to know what the corporate risk is and how to mitigate that risk over time.

So, how should c-level executives frame the conversation with the Board around risk and cyber-security? Start with the basics and ask yourself some foundational questions.

What does your board care about? Boards care about Revenue, EBITDA, G&A, shareholder return and the corporate governance enabling these. Most importantly they value a year over year improvement in the financials of the company. The board is paid to advise company leadership on strategic direction and to ensure risk is mitigated appropriately, leading to that company growth.

So, what do you do?

Use risk as the center of your discussion.
Create a “risk” rating and a risk dashboard to sum up to your board the following things; where your security program is relative to your industry and to best practice, how interesting your industry and your company is to attackers (does your industry have a higher profile for data exfiltration or media attention?), identify and quantify your risk areas (data loss: customer and employee, business interruption, negative media attention resulting in stock price decline or sales decline, industrial control system failure resulting in disaster.

Next, talk risk reduction. Many board members ask if you are going to be “hacked” your answer should be “yes, eventually”. No company, government body or even person is completely secure (even luddites who live in the woods with no com­puter or Internet access can have their social security number stolen)

Now that you have gotten the boards attention with all of the in­dustry vulnerabilities and the state­ment that no company is secure, discuss what you are doing, at the highest level to reduce that risk. Talk in corporate terms not techni­cal. Avoid discussions of tools, sys­tems or software at all costs. Focus on your overall security program, your approach to securing data, and do not forget your response to a breach or security incident. To­day, every company needs a com­munications and response plan. This is a form of risk reduction. Data breaches are, unfortunately becom­ing more common. Plan for your response. Keep top­ics like cyber insurance, employee security educa­tion and cloud provider data loss mitigation in the conversation with your board (They read maga­zines just like you do and know all about cloud). Po­sition your security program maturity compared to others in the industry. Are you bet­ter, worse or just getting start­ed? A key goal should be to “less interesting” and more difficult to breach than your peers, a compe­tition of sorts. Let the board know that. Your ultimate goal is to reduce overall cyber-security risk and one of the key ways to accomplish this is to reduce your threat footprint and your profile overall.

Use your board conversation to not only discuss cyber risk and the mitigation of that risk, but to ask for the resources you need to mitigate the risk. The board wants to know that you are doing the right things, understand the threats and are on the frontline in working to stay ahead of the emerging threats. Part of your overall roadmap for cyber-security should be to constantly evaluate new people, process, technology and solutions that can enhance your security posture. This should not only be central to your efforts, but should be foundational in your discussion with the board.

Framing a conversation around cyber-security is an evolving task. With cyber breaches becoming a regular news item and boards under pressure to ensure their cyber-se­curity programs are sound; expect this conversation to be a regular part of your board audit committee meeting. Even if this has not been a part of your board meetings to date, you can start now by creating a risk-based, business-language framed conversation with your company and board leadership.

Read Also

Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas
Meeting the Cybersecurity Challenge

Meeting the Cybersecurity Challenge

Scott Self, CIo, Tennessee Valley Authority
Navigating the Storm of CVEs

Navigating the Storm of CVEs

Yonesy Núñez, Chief Information Security Officer, Jack Henry & Associates
Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation