Risk Governance: The Board Perspective for Technology Executives
Keyaan Williams
Global Risk Governance Executive | Professional Speaker | Funniest Man in Cybersecurity
Merriam-Webster defines a keynote address as a special presentation designed to arouse unity and enthusiasm about the primary issues of a group. This is what I set out to do when TMG gave me the honor of serving as a keynote speaker the 2024 Zenith conference in Cincinnati this week. While it was a great honor, there was also significant pressure because IT executives from some of world’s best companies were in attendance. Also, I had to follow a killer presentation provided by Drew Lydecker.
Thesis:
Getting the board on board with management of cybersecurity and technology risk is the first step in getting the entire organization on the right page for success.
Executive summary
Details
[1.] Risk Governance
I think I was the only person to focus on technology infrastructure from a board perspective. Management of information technology is a unique risk because organizations invest significant capital in the solutions that support business operations. Decisions about what technology and cybersecurity risk to accept in pursuit of business objectives is rightfully determined by the board and the CEO who must partner to define acceptable risk boundaries for the organization.
Risk boundaries should create an observable risk culture (adverse, neutral, or aggressive) that influences the behavior of everyone in the organization. The acceptable boundaries for risk must be documented in a formal risk appetite statement. Then, everyone in the organization should be engaged in all practices that maintain risk at levels deemed acceptable in the risk appetite statement. control risk and exposure to the organization. Middle managers and individual contributors should not be authorized to accept risk on behalf of the organization without personal accountability and/or approval from the appropriate executive in the reporting chain. This ensures good risk oversight from board directors who are acting in the best interests of stakeholder but who are not full-time employees of the company.
A reporting mechanism that ensures relevant and actionable information makes it the board to give directors enough time to review risks, opportunities, and outcomes. I suggested that anything reported to the board should be included in the board packet and discussed at the committee level so there are no surprises at the board meeting. Nobody wants surprises documented in the official minutes of the board meeting!
[2.] Data Lifecycle Management
A ton of technology is available to support business operations. Thousands of AI companies are in the marketplace today. The influence of risk governance will drive decisions about investment in opportunities and risk management; however, there are so many choices that getting lost is easy (without the right trusted advisors). I didn’t talk much about AI, but AI provides an example that represents the problem of too many choices and technologies that might help a specific organization achieve desirable business outcomes.
领英推荐
I think data lifecycle management is a good starting point to help drive business risk decisions. Data Lifecycle Management focuses on the process used to create, use, share, and destroy data used by the organization. Data Lifecycle Management often works in conjunction with data inventory and data mapping to produce detailed information about what data exists, who is authorized to access the data, and the data processing that is allowed on various systems and services.
Detailed information about critical data allows enterprise architecture (EA) frameworks like TOGAF to verify the value of adopting new technology. If I understand my business processes and how they interact with data, I can prioritize adopting solutions that enhance existing processes. I can also avoid unproven and experimental technology that might hurt more than it helps. EA also ensures that all information and processes have owners so that data center managers, CIOs, and CISOs don’t have to be accountable for maintaining and protecting information they may not fully understand.
[3.] The Duty of Care is an important driver for action and accountability.
The duty of care is a legal responsibility. Boards, management, and organizations must act in the best interests of their stakeholders. When they fail, the courts may define the remedy necessary to make whole the people harmed by the inaction or negligence of the organization. The increasing volume and impact of cyber incidents and data breaches provides a good reminder to review what the duty of care requires of an organization. If the board is engaged (risk governance) and data owners are engaged (data lifecycle management), managing enterprise cybersecurity risk in a way that ensures the courts do not prescribe a remedy to people who have been harmed because of our inaction is possible. #1 and #2 are pre-requisites for #3. The exposure facing the organization is limited when all three practices are in place, effective, and produce desirable results.
This sounds good in theory. Doing it in practice is a different story. Thankfully, we have enterprise risk management standards like COSO and ISO 31000 that help. Often overlooked, NIST IR 8286 is my favorite standard for integrating cybersecurity and enterprise risk management in a way that satisfies the requirements for the duty of care.
Parting Shot
I can only cover so much in one summary. We talked about much more. Again, I appreciate the honor of leading the conversation. I look forward to doing it again at the when the annual TMG Zenith Conference returns to Cincinnati on 09 October 2025.
Resources
Image Credit | Chethan Kumar at Medium
Cutting Through the Noise in IT/Security helping Make the Complex Simple!
1 个月Keyaan Williams It was great having you in the Queen City for TMGs Zenith... Already planning your next trip north! Thank you again!
Sounds like you had an amazing time at the keynote. Cincinnati's got some cool vibes. What was your favorite part?