Cyber Security and your Board

Jamie Cutler, CIO, QEP Resources

Jamie Cutler, CIO, QEP ResourcesJamie Cutler, CIO, QEP Resources

Boards of Directors are worried. In the last year the landscape for technology in a board meeting has gone from discussions around system implementations and data management to preventing the potential loss of hundreds of millions of dollars in a cyber-breach. Now CEOs, CIOs and Boards are held accountable when data breaches occur. Following the Target breach in 2014, a proxy advisor recommended the replacement of nearly seven out of 10 board members and while not leading to an ouster of the Target board, it illuminated the pressure boards are now under to be proactive in the protection of customer and employee data.

"The SVE solution's unique compatibility with Citrix, VMWare, and other hypervisor solutions help the clients deploy the solution in a streamlined and centralized manner"

What does that mean for the CEO, CIO, and CISO in a public company? Boards are asking questions about the state of cyber security for the first time ever and these positions need to be prepared to discuss not only the current state of their companies’ cyber security, but more importantly the overall risk profile of cyber security within the company. Few executives are equipped to lead a discussion around risk in the context of a cyber-breach today which creates a gap as Public boards want to know what the corporate risk is and how to mitigate that risk over time.

So, how should c-level executives frame the conversation with the Board around risk and cyber-security? Start with the basics and ask yourself some foundational questions.

What does your board care about? Boards care about Revenue, EBITDA, G&A, shareholder return and the corporate governance enabling these. Most importantly they value a year over year improvement in the financials of the company. The board is paid to advise company leadership on strategic direction and to ensure risk is mitigated appropriately, leading to that company growth.

So, what do you do?

Use risk as the center of your discussion.
Create a “risk” rating and a risk dashboard to sum up to your board the following things; where your security program is relative to your industry and to best practice, how interesting your industry and your company is to attackers (does your industry have a higher profile for data exfiltration or media attention?), identify and quantify your risk areas (data loss: customer and employee, business interruption, negative media attention resulting in stock price decline or sales decline, industrial control system failure resulting in disaster.

Next, talk risk reduction. Many board members ask if you are going to be “hacked” your answer should be “yes, eventually”. No company, government body or even person is completely secure (even luddites who live in the woods with no com­puter or Internet access can have their social security number stolen)

Now that you have gotten the boards attention with all of the in­dustry vulnerabilities and the state­ment that no company is secure, discuss what you are doing, at the highest level to reduce that risk. Talk in corporate terms not techni­cal. Avoid discussions of tools, sys­tems or software at all costs. Focus on your overall security program, your approach to securing data, and do not forget your response to a breach or security incident. To­day, every company needs a com­munications and response plan. This is a form of risk reduction. Data breaches are, unfortunately becom­ing more common. Plan for your response. Keep top­ics like cyber insurance, employee security educa­tion and cloud provider data loss mitigation in the conversation with your board (They read maga­zines just like you do and know all about cloud). Po­sition your security program maturity compared to others in the industry. Are you bet­ter, worse or just getting start­ed? A key goal should be to “less interesting” and more difficult to breach than your peers, a compe­tition of sorts. Let the board know that. Your ultimate goal is to reduce overall cyber-security risk and one of the key ways to accomplish this is to reduce your threat footprint and your profile overall.

Use your board conversation to not only discuss cyber risk and the mitigation of that risk, but to ask for the resources you need to mitigate the risk. The board wants to know that you are doing the right things, understand the threats and are on the frontline in working to stay ahead of the emerging threats. Part of your overall roadmap for cyber-security should be to constantly evaluate new people, process, technology and solutions that can enhance your security posture. This should not only be central to your efforts, but should be foundational in your discussion with the board.

Framing a conversation around cyber-security is an evolving task. With cyber breaches becoming a regular news item and boards under pressure to ensure their cyber-se­curity programs are sound; expect this conversation to be a regular part of your board audit committee meeting. Even if this has not been a part of your board meetings to date, you can start now by creating a risk-based, business-language framed conversation with your company and board leadership.

Weekly Brief

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA