Creating a Cybersecurity-Savvy Board

A Ready-To-Use Framework For Intelligent & Holistic Engagement

(Originally appeared in the September 19th, 2019 'Across the Board' publication, a Board Director, Board Advisor, C-Level, and Business Newsletter reaching 26,500+ exceptional business leaders in over 70 countries with articles focused on leadership, strategy, and governance topics - sign up here)

As our digital environment continues to expand, there is much to celebrate on human advancements in both cause and effect of this trend. Just a few of the obvious advancements that make our lives easier and more fulfilling include increased communication speed, social connectivity, accessible education, remote working opportunities, and all types of helpful automation. Yes, I know this list is woefully light with so many other available examples to list. With all of the upside, however, it is sometimes easy to overlook the negative side of so-called advancement. As quickly as digital upside can occur, just as quickly can a potential digital downside be encountered. For a Board, the downside of our digital environment typically rears its ugly head in the form of the cybersecurity topic.

Although cybersecurity is a huge buzzword in the boardroom, it remains a foggy and ever-morphing challenge for many organizations ...but how is this possible, you ask? Data security has become ubiquitous with risk and reputation, so how is it that something that can instantaneously affect brand and shareholder value remain such a challenge? Opinions still vary on the definitive need for cybersecurity experts on specific Boards, but there is a general consensus among Boards, management, and investors that this need is increasing. A Forrester Consulting Thought Leadership Paper Commissioned By BitSight entitled 'Better Security And Business Outcomes With Security Performance Management' polled 207 security decision-makers with responsibility for risk, compliance, and/or communications with Boards of Directors to explore this topic, tells the sobering story for those still unconvinced. This study evaluated how security leaders measure their enterprise’s security performance and states, "...more than one-third of companies agree that they have lost business due to either a real or perceived lack of security rigor. Additionally, 82% of decision makers agree that the way customers and partners perceive security is increasingly important to the way their firm makes decisions."

Boards are generally answering the call to infuse cybersecurity expertise into their immediate circle as the steady news stream of data breaches, fines, and subsequent social media tidal waves swirl. What is interesting with this trend, however, is how the application of both strategy and governance of the cybersecurity topic typically remains with only one Board Member (cybersecurity expert), even when the Board makes the deliberate effort to tackle the issue. In other words, with cybersecurity being such a specific knowledge and skillset area, the question must be asked of how is it even possible for other Board Members, some with no technology or data security background, to institute proper 'checks and balances' as well as intelligently be part of the discussion? "The single biggest weakness in Board oversight of Cyber risk is that Cybersecurity is treated as a black magic where only the initiated can participate. Since most Board Members believe they are not initiated, they exclude themselves from trying to understand," states Alex Beigelman, CEO at Beigelman Risk Advisors and Chairman Of The Board at The National Cybersecurity Society. "The truth is that Cybersecurity and Cyber risk are only different because they are presented in arcane and highly technical language. The issues can and must be explained in a way any Board Member can understand. The task, therefore, is not to make every Board Member a Cyber expert, but to bring in advisors who can remove the secret veil and inform rather than mystify."

Savvy Board Directors know that a key component of their success, and the success of the organizations they serve, is in asking the right questions (remember that questions relating to process and measurement can be most beneficial in the boardroom). They also know that an emergency doesn't have to be an absence of choice. These concepts remain absolutely true for Board Directors when 'probing' in the cybersecurity area, too. Whether you are a cybersecurity expert or technologically clumsy, a cybersecurity framework is a great reference point to channel your thoughts into logical 'buckets.' By understanding a cybersecurity framework, your purpose and direction can become quite clear at any knowledge level. A great cybersecurity framework can be referenced within the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. From their 'New To Framework' webpage, their charter is clear by stating, "Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role."

 Framework Components

The NIST framework is quite unique in that it caters towards both the cybersecurity expert AND cybersecurity novice simultaneously - by design. The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.

The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.

Framework Implementation Tiers

Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.

The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties.

A further step-by-step lifecycle breakdown of the framework is seen here and is likely most helpful for non-cybersecurity Board Members. Understanding the path and focal-points of how robust cybersecurity programs operate can work wonders in becoming a helpful Board Member when it comes to weighing-in and participating intelligently.

So, let's make all of this implementable with a few examples of how a Board Member can leverage an agreed cybersecurity framework and lifecycle for their benefit and for the benefit of the organization. When discussing the overall cybersecurity program, or a specific component, in the boardroom:

For non-cybersecurity Board Members: 

• Listen carefully to the discussion to pinpoint which lifecycle 'step' is being addressed (identify, protect, detect, respond, recover). This will give you a footing on which specific area is being referenced. 
• Look for lifecycle steps that are rarely touched on or breezed through for gaps in the needed holistic cybersecurity process. For example, if the topics of identify, protect, and detect are frequently discussed, focus your questions on the readiness and robustness of the respond and recover lifecycle steps. Always consider the balance of all areas to ensure a holistic program.
• Come to the boardroom more prepared! Further your knowledge through programs, courses, and workshops that specifically address the governance aspects of properly implemented cybersecurity programs.

For cybersecurity Board Members: 

• Structure your discussions on the cybersecurity topic mindfully by first calling out the lifecycle step that you are addressing (identify, protect, detect, respond, recover). This helps to create a visual reference point for all Board Members at any level of cybersecurity knowledge. 
• Aim to level the 'technology speak' to layman's terms to ensure understanding at all levels of technology and cyber awareness.

When an entire Board increases their cybersecurity awareness, knowledge, and information sharing approach, they exponentially lower the overall organization's risk. "Enterprises with mature response and resolution of cyber attacks will have a better chance to absorb impact of the compromise," states Ondrej Krehel, CEO of LIFARS, a cybersecurity firm based in New York City. "Executives should focus on gaining visibility and auditability of cyber incidents, including potential attacks. It is important to have a true understanding what data are being targeted and why." In the true spirit of Board Director (and collective Board) continuing education, why not focus some needed effort in the cybersecurity area?

How are you prioritizing Cybersecurity Savviness within your Board?

Reach out directly to Mark A. Pfister to discuss creating Board Cybersecurity Savvinesswith his 'Strategy Workshop' offering and National Speaking Tour topics.

Mark A. Pfister - Board Consultant | Non-Executive Director | Strategist | Board Macro-Influencer | Speaker | Author - www.PfisterStrategy.com

____________

** WIN A FREE SIGNED BOOK **

Reach out with a short description or example of how you have elevated your Board's cybersecurity savviness for 5 chances to win a signed copy of my book, 'Across The Board: The Modern Architecture Behind an Effective Board of Directors.'

(Eligible through September 25th, 2019 and for shipping within continental U.S. only)

____________

About the Author: In addition to sitting on numerous Boards, Mark A. Pfister is a renowned Board Consultant, 'Board Macro-Influencer,' certified Board Director, speaker, author, and advises public, private, and nonprofit Boards in efficient and effective operations. Known as 'The Board Architect,' he is the inventor of the 'Board as a Service' (BaaS) engagement model and an expert Project Executive frequently advising on strategic global initiatives in their initiation and operational phases... << read full bio here >>

____________

Sponsored Advertisements

Advertise With Us

Have something that could benefit the 'Across The Board' community and further elevate leadership? By all means, contact me for pricing and multi-article discounts. Get your coveted offerings in front of the premier curated group of 25,500+ Board Directors, Board Advisors, C-Level, and Business Leaders in over 65 countries. The right audience makes all the difference!

____________

____________

Have Mark join you on his National & International Speaking Tours 

[ 14,500+ attendees / 80+ speaking engagements every year ]

'Becoming an Exceptional Board Director Candidate' Learn the proven and effective steps to plan and implement your Board Director strategy. Experience how these achievable & focused efforts help you convey the expertise and confidence needed for serious Board Director / Board Advisor consideration (Available as a speaking engagementand/or a 1:1 individualized preparation coaching plan.

'Building an Effective Board For Your Company' shows business owners and leaders the immense value of creating or rebuilding an experienced 'go-to' Board of Directors or Board of Advisors - and most importantly, how to do it via a step-by-step roadmap. Make your company soar with the right foundational elements of an effective Board. (Available as a speaking engagement and/or consulting engagement).

'The Strategy of Strategy' guides you through the 2500+ year history, evolution and next phase of Strategy - 'Amorphic Strategy.' Learn why strategy is so relevant to you personally as well as your business. Build and leverage your business strategy as well as your own personal strategy and experience how these focused efforts will help you thrive and reach your full potential (speaker video). (Available as a speaking engagement and/or consulting engagement).

!! NEW !!  'How To Win In Leadership Without Losing Yourself' Welcome to the Master Immersion Series where leaders finally get real world strategies for maximizing their impact. Developed by two CEOs, Linda Bjork & Mark A. Pfister, who have cracked a surprising code for what it takes to make both a company and its leadership impactful, inspiring, and ready for anything the future will bring. Be sure to 'Reach out' to sign up for information about upcoming public events, and if you are interested in a customized approach to improving leadership skillsets in your organization, please get in touch so we can find the best solutions for you. (Available as a speaking engagement and/or consulting engagement)

____________

'Across The Board' - The Modern Architecture Behind an Effective Board of Directors

In order for Boards, and the organizations they serve, to reach the level of trust, effectiveness, and operational excellence needed to excel, the ‘Foundational Architecture of the Board’must be solid and constructed properly. An area that seemingly has never been covered or is skipped over is the actual ‘nuts & bolts’ foundational and architectural considerations of how to build a Board from scratch, or how to envision the rebuilding or evaluation of an existing, in-place Board. This has been the case over and over again in private, public, and nonprofit organizations - until now... Get your copy today.

 Reached Amazon's "#1 New Release in Corporate Governance" in its first week of launch!

Now at 13,000+ copies in global circulation!

____________

Here's Some Additional Reading

'The ESG Challenge'

'Why Do Boards Continue To Struggle With Strategy?'

'The Boards Continuing Education Priority'

'What Makes a Great Board?'

'The Art of Respectful Dissent'

'The Board's Focus on HIAR'

'Amazon, Politics, and the Board'

                      ★   Join Our Mailing List   ★

____________

"Get Quoted"

Want to be quoted in an upcoming 'Across The Board' newsletter article on a topic you are passionate about? Over 100 experts have done so to-date. Propose an article topic and let's work through the details. Reach out to get your name and company in front of the premier curated group of Business Leaders, Board Directors, & Board Advisors - go ahead, make a name for yourself!