Boards: It’s Time to Step Up and Take Ownership of Cybersecurity

CISOs are from Mars, boards are from Venus. This is the conclusion I drew from my discussions with John Madelin and one of the authors of a report by Cyentia, about the effectiveness of the communication between CISOs and the board.

Mid-December of 2023, this became more problematic, as the SEC began enforcing a new major piece of policy.

I vividly recall one attack, while working with an organisation, against one of their suppliers. Though the impact on the client was minor, amongst the data we found copies of confidential employee details and a contractual document of the business in question, which should have never been shared with that supplier.

It led me to question a) the data management (deletion) policy of the supplier in question, but also b) the business’s diligence in managing sensitive documents with third parties, and c) their scrutiny of suppliers regarding their obligations to data management and cyber security.

Despite strong cybersecurity measures, there were wider organisational challenges like identifying customers served by that supplier due to a lack of a centralised list. This hindered timely breach communication, and the supplier also spanned multiple business units, further complicating the process.

As a participant of a recent cyber security discussion about the responsibility of the business’s accountability, it became evident that we often still see cyber security as a matter for the CISO or the CIO.

?Cybersecurity Ventures?projects global cybercrime costs to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025. Boards often focus too narrowly on the identification and protection of the business, instead of resilience. By doing so, they are failing their companies.

It’s time for a new thought process and a new approach. To prevent, defend against, and recover from a cyber security attack, organisations must involve leadership, people, processes, organisational setup and technology.

CISOs and the Board: The Gulf is Huge

In preparation for a panel discussion hosted by John Madelin, as part of the excellent SASIG event – Reaching the Board Room: Working Together to Meet the Cyber Challenge, all about what CISOs should tell the board room, and what questions they should ask – the research and follow up discussions in the room highlighted that the gulf is huge.

Just 69% of board members see eye-to-eye with their CISOs. Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This is nowhere near enough time to develop a meaningful conversation around cybersecurity strategies and goals. ?

What are boards saying?

70% reported that they understand everything that they’re being told by IT and security executives in their presentations, but more than half (54%) agreed or strongly agreed that the data presented was too technical. 85% believe that IT and security executives need to improve the way they report to the board, and two in five do not believe that risk is reduced as a result of their conversations with, and reports from, IT and security executives.

What are CISOs saying?

An average of four out of five data breaches are actually reported to the board, but fewer than one-half of total attack attempts are reported. Only one third of IT and security executives believe the board comprehends the cyber security information provided to them. Only 40% of IT and security executives believe the information they provide the board is actionable. In addition, only 39% believe they are getting the support they need from the board to address threats.

In short, many boards of directors are accepting of receiving substandard information, and many IT and security executives are satisfied in providing this level of information.

What Does Taking Ownership Actually Mean?

Cyber security is often

• a technical discussion, NOT a business discussion.?
• discussed in isolation with the CISO (and IT), NOT part of a wider conversation and not part of the business discussion.?
• describes risks as catastrophic, NOT in a differentiated manner.
• backdated minutia reporting, NOT business driven and forward-looking measures.
• seen as a business preventer, NOT enabler – let alone a business partner.?
• looks at technology solutions as the only lever, and RARELY considers business processes and people as a solution.

In my opinion, cybersecurity sits in the wrong place in the organisation. It has been siloed into a very technical stream, and 46% of S&P 500 company boards allocate responsibility to the audit committee. It’s seen as a tick-box technical and compliance function, but for cybersecurity to function, it needs to be seen holistically. Think: people, process, technology.

Most board members are not cyber experts, but cybersecurity must be business-led, and the responsibility sits with the board. This technical conversation needs reframing, to be a business conversation.

It’s always a great idea to have a cyber expert on the board, but I’m not saying that every Director needs to become one. What I amsaying is that by focusing on risk, reputation, and business continuity, and establishing clear, consistent communication with CISOs to share useful and objective metrics, boards can work to close the gap between themselves and their CISOs.

When that supplier was attacked, the leadership team took cyber security as a management topic, assigning primary owners for each supplier, establishing processes for annual legal review of contracts, integrating cybersecurity discussions into procurement reviews, and using the incident as a reminder to staff about the importance of data confidentiality. Even in that minor incident, in addition to having had the right technology infrastructure in place, the ability of the company to respond swiftly required mainly organisational accountability, governance and process changes - none of which could have been in the remit of the CISO or CIO.

Your Cyber Strategy Needs to be Aligned with Your Overall Strategy?

Cybersecurity is not something that sits on the shoulders of the IT department; it is an enterprise responsibility. It demands integration into all operational and strategic decisions – whether growing operations, breaking into new markets, developing new services and products, or making acquisitions.

The board’s involvement in developing a cybersecurity strategy ensures a nuanced understanding of vulnerabilities. It facilitates a tailored defence – and the opportunity to differentiate yourself from competitors.

After all, it is not a case of ‘if’ we fall victim to a cyber-attack, but ‘when’. Preventing an attack should not be the only concern. The focus should be to ready the organisation for effective response and recovery, with minimal damages to bottom lines and reputation.

A great NPSA training video I once saw showcased a number of inconspicuous activities from marketing, HR, finance and R&D departments. On their own these actions were safe, but together, they created a major security risk. While this video focused on insider risk, the same applies to cyber security. It is a misconception to think that cyber threats come only in digital form. Cyber resilience is not only a responsibility of each department and each employee, but also needs to be a subject owned by the CEO.?

Making cybersecurity a priority for the board means more than a quarterly PowerPoint deck. Leadership and boards must educate themselves in new and different ways, become more vocal in directing CISOs, and learn to ask the right questions:

• What are the most critical information assets we need to protect??
• Do we understand who owns the information assets and the risks the business would face if these assets were exposed, corrupted or being unavailable?
• What type of cyber incident could impact our business significantly? What is the likelihood of such an incident? What risk mitigation action would be available and what needs to be put in place for an effective response plan??
• Have we assessed the value creation and supply chain in regard to cyber security risks? What are the measures we have in place??
• What cyber protection layers do we have in place? Are all the basics in place and regularly reviewed? What is the next recommended action relating to the improvement of our cyber security?
• What lessons have we learned from recent cyber security incidents? Have those learnings been implemented?
• How did our cyber response plan work? What can we improve?
• When will we have our next tabletop exercise? What role will the board play in tabletop exercises and in actual crisis response plans?
• What developments do we see in the market? What can we learn from that?
• What is the budget distribution between incident response and recovery to cyber incidents in relation to protection and defence? Have we set enough budget aside for the response and recovery?
• What is the cyber security governance framework? Is the setup clearly understood and implemented in the organisation – especially in regard to other support functions and business ownership?
• What reporting is in place in the business and who owns it? What KPIs are relevant for our business from a cyber security perspective?
• What policies and training do we have in place? What are we doing to create a safety culture?

?

‘Culture’ Also Means Weaving Cybersecurity into Your DNA

The vulnerability of a company is of course impacted by its IT infrastructure and each company needs to ensure it has the basics in place in this regard such as patching and upgrading systems swiftly, ensuring passwords are beyond basic and 2-factor authentication is used. Just one unsecured server can lead to a potential cyber-attack.?

However, most security incidents are fuelled by human error and technology alone will not protect companies. The weak link lies in behaviour – a challenge that can only be addressed through a blend of technology investment and cultural transformation.

Only 67% of board members believe human error is their biggest cyber vulnerability, although findings of the World Economic Forum indicate that human error accounts for 95% of?cybersecurity incidents – for example, falling for a phishing attack or using easy-to-guess passwords.

As Professor Angela Sasse, Chief Scientific Advisor at OutThink, says, “It’s time to see your people as the solution, not the problem.”

Cybersecurity needs to be part of the corporate culture, not simply in addition to the culture. Flavius Plesu, CEO and Founder at OutThink, wisely says, “If you want people to engage with their cybersecurity training, talk TO them, not AT them. Rolling out a generic program is a guaranteed way to make sure absolutely no one cares what you have to say.”

It’s not merely about creating a handbook; it’s about infusing safety into the organisational fabric so that every employee is constantly reminded that organisational safety is a part of their role in the modern workplace.

In Summary

It’s not rocket science.

Aligning cyber strategy with the overall business strategy creates a symbiotic relationship, turning cybersecurity into an enabler rather than a standalone function. To go beyond simply understanding risks and actually take ownership, businesses and their boards must work proactively with their CISOs, to establish robust frameworks, policies, accountability, strategic allocation of resources, and foster a culture of cybersecurity into the DNA of the organisation.

These companies, that effectively manage the entire portfolio of risks, including cyber – to create a resilient, adaptive defence against evolving threats – are the ones that succeed in the marketplace.

Don’t treat this as ‘not your conversation’, even if you do not ‘get’ tech. There are many great resources made available by governments.

Make time to explore these resources:

o?? https://www.ncsc.gov.uk/collection/board-toolkit/toolkits-toolbox

o?? https://www.nist.gov/cyberframework?

o?? https://www.npsa.gov.uk/insider-risk-mitigation-digital-learning?