The Board’s Role in Cyber Risk Management: Advice from Top Directors
In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Officer, Chief Information Security Officers, Chief Risk Officers, and other executives.
At Bitsight’s inaugural EXCHANGE forum last month, a panel of directors and executives from top global companies discussed the importance of Board involvement in mitigating cyber risk.
The panel was moderated by Suraj Srinivasan (Professor, Harvard Business School). The panelists included Ed Brandman (Chief Information Officer, KKR & Co.), Andy Brown (Board of Zscaler and Guidewire), Bijoy Sagar (Chief Digital and Technology Officer, Stryker) and Shelley Leibowitz (Board of AllianceBernstein and E*TRADE).
Panelists Ed Brandman, Andy Brown, Bijoy Sagar, Shelley Leibowitz, and Suraj Srinivasan discuss the Board’s role in cybersecurity at Bitsight’s inaugural EXCHANGE forum on October 10, 2018.
Here are some of the key takeaways from the discussion:
1) When it comes to cybersecurity, Board members need to completely understand the spectrum of risk for both their organization and industry.
It’s important for directors to understand the landscape around their company: its value and possible threats to that value, as well as company decisions, their residual risk, and the risk-mitigation techniques being employed. Understanding both qualitative and quantitative data allows organizations to look backward and forward; the cybersecurity audit committee should focus specifically on looking backward while the risk oversight committee focuses on what may happen. This helps create a comprehensive picture of risk both within and outside the organization. Companies, especially those that have a strong digital presence, must think about risks that may not seem obvious. As one executive said, “Think about the risks you may not be thinking about and expect the unexpected.”
2) While some Boards have a cybersecurity expert, most do not. Instead, the risk oversight committee should fulfill this role and facilitate discussions that provide the appropriate context around cyber risk.
The shortage of security professionals among Board members emphasizes the need for collective responsibility around cybersecurity and cyber risk. While most Boards do not have a designated cybersecurity expert, an increasing number are assigning this responsibility to the risk oversight committee. According to another executive, risk committees should be accountable for several cybersecurity-related areas: governance, policy, testing, transparency, and resource allocation.
All executives agreed it’s critical for Boards to get — and understand — the qualitative and quantitative information needed to make informed decisions about cyber risk, particularly when it comes to transparency. Security ratings are one tool many of these Boards are using as an external, objective measurement of their company’s security posture — recognizing that internal measurements only go so far because of their natural biases. This is also significant when chief information (and information security) officers are reporting to Board members and can use security ratings to track security performance and trends over time.
3) The cybersecurity information presented in Board meetings must align with business objectives and areas of responsibility.
Another executive emphasized the most important thing for him is aligning his roles and responsibilities with the Board. He looks at cybersecurity reporting in terms of conveying applicable information about the threat landscape, sharing insights into trends, and articulating the strategy (particularly the public relations strategy) around all efforts.
Another executive said his Board has a cybersecurity expert but his relationship with the Board as chief information officer is unique; he views his primary role as disclosing a strategy around how to keep the business safe and the areas his team is most focused on. He lays out the roadmap for the Board and outlines how it can help in resourcing, financial commitment, and prioritization within a business context. He acknowledges that every company is going to think about cyber risk in a different way but that his job is to help educate the Board on how it constructs its risk management model and strategy, as well as how it responds to risk.
While every company thinks about risk management in a unique way, executives need to convey critical information to the Board of Directors in a consumable way. One component can be a reporting metric like a security rating, but ultimately the goal should be to convey the company’s positioning and strategy to address cyber risk in a proactive, efficient manner.
This blog post was originally published on the NACD BoardTalk blog.