From Crisis Comes Opportunity - Leveraging the Board for Security Needs

The future for some people right now will appear terrifying. In working with some leadership teams through this pandemic crisis I have heard the three words you ‘possibly’ would not want to hear from a leader; “I don’t know”. Those three simple words can instill fear and uncertainty in some people.

However, I believe those words are also a potent leadership tool. Leaders willing to say they do not have all the answers demonstrate an open mind and show that vulnerability is OK. The exceptional leaders recognise the opportunity in front of them to step into the vacuum of uncertainty and present a clear and concise strategy. In doing so, build on the crisis event for the greater good of all employees, and the business.

Grappling with uncertainty means the lesson learned, knowledge gained or experience garnered will be that much more lasting when identifying strategy and fore filling opportunity. When it comes easy to you, the learning is easily forgotten

For those managing risks (CISO, CSO, CRO), COVID-19 is an opportunity to revisit your strategy, embrace what is working and reshape and re-present the opportunity of what needs to change in light of the events faced by businesses right now. Let us not forget that the current pandemic has been an opportunity for the criminally minded among us too: with expediential rises in phishing attacks, ransomware and more.

I believe one of the major opportunities for CSOs / CISOs is the continued digital transformation of the workplace and your role in securing in. This strategy will require Board level engagement, governance and support allied with your executive team to enable success. You may see other strategies that befit the organisation you work within. Whatever the opportunity, you will need top down support to succeed.

What better time than to leverage the Board and seek the support and buy in you require. What better time for company Boards to proactively shape their companies security strategy and investment plans and recognise the opportunity this crisis presents!

Do you have a Board engagement plan? Do you have a strategy to manage up through your leadership team to the Board? Do you envision opportunity through this crisis?

I believe there are four key elements to shaping your Board relationship and engagement to ensure, (in identifying the security opportunities), you maximise the chance of success. These are detailed below with recommendations;

1. Strategic risk role of the Board - The Board’s role with regard to security, in line with its oversight of risk, it to provide strategic guidance to inform / direct the leaderships strategic risk judgement. To mature your relationship with the Board / leadership team, build confidence in your security operations by framing strategic discussions around key risk issues, opportunities and questions in light of recent events and future threats and risks.
2. Building Board and leadership team security expertise - The Board and leadership team need to develop more of an understanding of security / cyber security to ultimately play a more active role and ask questions you may not have thought of. I can't stress the importance of investing time and effort in developing that expertise with your Board and leadership team. Find an advocate who can assist you in landing an annual curriculum of security learnings, providing on-going training and using credible third party support.
3. Developing meaningful security risk metrics and reporting - Boards and leadership teams require data and frameworks by which to understand the risk and thus the success (or otherwise) of the security programs the company is investing in. Allied with investing in educating your Board and leadership teams, developing meaningful, business orientated security metrics is key to your success. Invest in technology, programs, people and processes that enable you to regularly demonstrate (report) the success (or otherwise) in managing the threats and risks. This data should be presented in a clear, unambiguous, factual manner. Board security metric reporting is part of their collective education journey. Reporting is a skill. As is brevity!
4. Alignment of the Board Risk Register - I believe Boards need a holistic view of security risks within the organisation. In doing so, they need direct access to the CISO / CSO to understand how security risks are being managed (from top right to bottom left of the likelihood / impact model). As a security leader, now is the opportunity to develop your collaboration with the CIO, CRO and other partners and present a unified view of converged security strategies to secure the digital transformation of the company. That converged operating model will take both the physical and virtual approach in securing people, assets and the business resilience of the company. In doing so the Board gets the complete picture and not just bit parts throughout the reporting period. If you have not already done so, ally yourself with others who have skin in the game in securing the company.

Undoubtedly the business operating environment for many companies will be very different going forward. 2020 plans have been ripped up, 2021 strategies turned on their heads. However, among all this chaos there is opportunity. For the CISO / CSO, these opportunities are a plenty; business and operational resilience will be a major focus and in turn, securing the digital transformation of the work place will be a key part of that operational resilience narrative.

John F Kennedy popularised the inaccurate translation; “The Chinese use two brush strokes to write the word ‘crisis’. One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger–but recognize the opportunity”.

This was picked up by marketing gurus who saw an opportunity to sell optimism that is now the thriving industry of crisis and reputation management. There is nothing wrong in that but a 'flawed translation' sometimes has us all scratching our heads looking for positives.

I believe as a security leader you have to find the positives in all this.

Your Board and leadership teams are vital in believing in the positives you've identified, in understanding the opportunity you see in this crisis and thus enabling your success. Have an engagement plan, understand the key elements for success in engaging Boards and your executive team and then... execute.

Carpa diem my friends. Carpa diem.