Over the past few weeks, I’ve had the rare opportunity to meet with board members and discuss their views on cybersecurity. Many of the questions I posed were sourced from my LinkedIn community, where 25-plus people suggested 50-plus unique questions (eek!).
Even in our short time together, I was left with a much deeper understanding and empathy for board members’ positions. I was also left with an appreciation that we need to have this constructive dialogue with board members and listen to their perspective and expectations more often.
We discussed their recent interest in security, and they cited the following:
- Increased volume of activities (Russian interference in US election, phishing, ransomware, etc.).
- The impact of that activity on companies’ strategies (e.g., Equifax, Ashley Madison, Yahoo).
- The catch-up of companies who are not in financial services (noting that banks are well versed, as threats started with internet banking).
- Third-party risk is becoming a clear issue to them.
Board Members’ Awareness And Understanding Of Security Is Not Perfect — But Improving
This really made an impression on me. The board members admitted to having an evolving understanding of cybersecurity. Some of the things that have helped raise awareness and understanding include live exercises, breaches they’ve experienced, AICD (Australian Institute of Company Directors) cybersecurity courses, and consultants presenting to boards on the topic. They expressed their desire for more learning and education.
The Good News? A Clear Set Of Common Trends Emerged From Our Discussions
- Boards’ priority of cyber is top of mind. Cyber risk was readily accepted as a top priority for boards. One board member went as far as to suggest it is a big existential threat. And another said if cyber is not on the corporate risk register somewhere at the top, someone is not doing their job. I can’t help but ponder that at times, mechanical bureaucracy in many organizations means that it’s still not on the risk register.
- Boards want to hear from and have a trusted dialogue with their CISOs. To cut a long story short here, they want the CISOs to be translators and communicators. Language, jargon, and not having a common lexicon about cybersecurity were mentioned as contributing to the problem, and CISOs need to be part of the solution. I also learned that board members want to see their CISO as the author of the report and not just the CIO or someone presenting on behalf of the CISO. They want a dialogue.
- Communication of cybersecurity to boards has to be transparent and in a risk language. Risk, risk, risk . . . The number of times the topic of putting security in a business risk context came up was notable. Boards understand risk, and this is what they do on a day-to-day basis. They want us to fit into existing risk frameworks. They want to hear the “exceptions” (e.g., talk about the 5% of data that is not protected, not the 95% that is). And they need our honesty and us to talk to them about what’s broken. (Of course, for those of us living this day-to-day, it isn’t as simple as it sounds — mechanical bureaucracy sometimes pushes CISOs to water the messages.)
- There was a wish for a more normalized conversation in five years’ time. At the security event, one of the prominent board members noted that she hasn’t seen a room so lacking in diversity since her days in financial services in 1998. She promptly wished that in five years’ time, we would see more diversity in the profession. Additionally, everyone agreed that in five years’ time, they hope that this conversation is a bit easier and more normalized for all involved — boards and CISOs alike. I will keep this conversation going through my research and writing.
I welcome your thoughts on the above. I am especially thinking of how we can keep this conversation between security and boards alive.