Insights blog.

Cybersecurity is a growing topic of discussion in Board meetings everywhere — given this fact, Board members need to be prepared to speak knowledgeably about their organization’s cybersecurity posture and programs. As businesses near the last quarter of the year and begin their planning processes, Boards must also be thinking about how to best prepare for 2019.  Here are some factors that Boards must take into consideration:

In today’s landscape, managing your internal security processes as well as creating a third-party vendor risk management program should be top of mind, but prioritizing a solid understanding of the metrics surrounding your cybersecurity programs almost just as important. These metrics should dive deeper than “yes” or “no” questionnaire answers, but should help you gain a more comprehensive understanding of where you and your third parties fall when it comes to proactively mitigating cyber risk.

In today’s evolving cyber risk landscape, Boards of Directors are becoming increasingly concerned about their company’s security performance. In fact, the NACD has found that 89% of public companies and 72% of private companies regularly discuss security at Board meetings. While they are asking for updates on enterprise cybersecurity posture more often, they do not necessarily have the expertise or experience to know what to ask for — or how to interpret the technical information presented to them.

As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.

Cybersecurity is a growing topic of discussion in Board meetings everywhere, and more and more security professionals are being asked to present on it in high level meetings. Company leadership is busy, so it’s your responsibility to present a case to them that’s ready for review. We reached out to some security executives and CIOs and asked them for tips on what common mistakes to avoid when presenting your case to executives or the Board.

An increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. A recent joint survey by Veracode and NYSE found that nearly 80% of directors said that cybersecurity topics are discussed at nearly every board meeting.

Today, businesses are at an interesting intersection when it comes to cybersecurity reporting: with modern technology, tons of data and thousands upon thousands of metrics are available to report on — but it’s difficult to determine which cybersecurity metrics actually matter. Because of this conundrum, many security and risk professionals feel a level of confusion around their security posture (and the security posture of their third party vendors). Does this sound familiar?

In today’s market, an increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. Bitsight understands that making an organization’s cybersecurity posture accessible to C-level executives and the Board of Directors is becoming more of a requirement within the business; we’ve added capabilities within Bitsight Security Ratings that arm security and risk management executives with actionable metrics that they can share with the Board of Directors.

There’s no doubt that organizations understand the value of implementing strong cybersecurity programs and encouraging their third parties to do the same. As data breaches continue worldwide, 63% of those breaches are caused through a third party vendor, according to Soha Systems’ Third Party Advisory Group. As such, Boards of Directors realize the need to have security and risk practitioners such as Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) provide their expertise and guidance. In today’s landscape, cyber risks are at the front of Boards’ minds. This is why it is critical that security practitioners be in the room.

There are many different metrics that the CISO or CIO collects to measure the performance and effectiveness of its cybersecurity program. But only a select number of these metrics hold enough weight to be reported to the C-suite. The security metrics and measurements that make it to the boardroom should be presented in a language the Board understands, and should speak directly to whether the organization is taking the right steps toward security. 

There has been a lot of debate recently about the role of senior executives and boards in managing cyber risk. If you’re involved in advising either of these groups today on cybersecurity, I urge you to focus on one thing: tugboats. 

During last month's FS-ISAC webinar, Home Depot, the SEC and Increasing Board Oversight: Why Metrics Matter More and More, Bitsight CTO and Co-Founder Stephen Boyer answered questions from attendees about why using IT security metrics is more important than ever before. He also performed a live demo of Bitsight Security Ratings to show how to prove that security ratings work.

ISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.

It took a long time for the CISO role to emerge in corporate America (and maybe 25% of large enterprises have one), so it will be quite a while before it becomes a consistent board seat.  In the meantime, corporate boards are made up of current and former CEOs, CIOs & CFOs, academia and distinguished public servants from civilian and military backgrounds.  I believe they are all too aware of the implication of cybersecurity risk.  Like many senior executives, boards have recently had a crash course in the impact of security breaches.  Either because they have witnessed them first hand….or from ‘a safe distance’ as competitors and peers have struggled through cyber attacks and loss disclosures.  But there is no existing framework for discussing cybersecurity risk among a corporate board, certainly nothing that equates to their existing framework for discussing growth, profitability, legal exposure, supply chain, M&A, HR best practices, geopolitical risk etc.  For those perpetual board meeting topics there is a consistent push for internal data and instrumentation that can be compared and benchmarked with a peer group, an industry or a competitor.
For 'the practice' of board oversight to extend to cybersecurity risk, those same benchmarks must exist.  Without objective comparison between peer/competitor/industry, how can the experience and advice of your celebrated academic, retired CEO, distinguished public servant or maverick CIO have any context? How can measurement be put in place?
Mr. Aguilar is on the right track. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial and reputational repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company. Yet, while the time for board level discussions on cyber security has come, it is also the time for new innovative solutions to enable this practice. This is where Security Ratings come in.