Session Notes: Influence Corporate Strategy and Drive Business Decisions with Cybersecurity

Abstract

What should the board and business leaders know about cybersecurity? The importance of this question continues to grow as regulators place increasing accountability on listed companies, their boards, and the management teams that lead them. This presentation presents key ideas that security should address and communicate to equip the board and management for success. Interviews and discussions with sitting board members influence strategies that equip the business to make good decisions that honor the duty of care and achieve corporate risk management goals – even with limited resources.

?

Key Takeaways

? It is important for security leaders to know how boards work.

The detailed work of the board is done by committees. Ideally, decisions made at this level will be formally documented in the minutes of the full board meeting. The full board meeting is not the place to have discussions about new issues and topics that have not been addressed. The best approach is for security to report to the right board committee to ensure issues are explored in detail, options are considered, and decisions are made about how to act and what resources are required for success.

Three standing committees exist in most public companies: audit, nominating and governance, and compensation. The audit committee focuses on financial reporting and disclosure, accounting policies and principles, internal audit, and risk management. The nominating and governance committee focuses on board succession planning, performance of the board and management, and development of corporate governance guidelines. The compensation committee focuses on the company’s compensation philosophy, CEO and c-suite compensation, and compensation related disclosures.

The people serving these committees are specialists in their respective domains. They are selected because of their contribution to the board's skills matrix. Digital transformation, AI, and cybersecurity are in-demand skills; however, they are not the only skills required. The OECD Corporate Governance Factbook notes that organizations in the jurisdictions they monitor are adopting dedicated enterprise risk committees (not CISO committees) that focus on all risks facing the organization.

?

? Cybersecurity is a subset of enterprise risk management.

Practices for Integrating Cybersecurity and Enterprise Risk Management (ERM) are outlined in NIST IR 8286. The standard and its appendices note, “The increasing frequency, creativity, and severity of cybersecurity attacks means that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs.” Integrating ERM and cybersecurity risk is essential because the solution for risk in one area of the organization likely has an impact on risk in other areas like revenue risk, reputational risk, regulatory risk, and operational risk. All these risks work together to influence the total exposure faced by the organization. All these risks depend on an integrated response to reduce risk to an acceptable level using the limited resources available to the organization.

?

? Strategic planning and strategic management are required to produce desirable outcomes.

Strategy is easy; execution is hard. Development of the strategic plan helps clarify the organization's plans and ensure alignment between key leaders.?However, most strategies fail because of poor execution. Strategic management is an activity that starts with the board and ends with every stakeholder understanding his or her role in the execution of the plan. The strategic plan communicates corporate goals, actions required to achieve those goals, and critical elements required for success. A strategy that focuses on reducing cybersecurity risk requires endorsement and buy-in at the board level and across the entire c-suite to be successful.

?

? The board must establish and document the acceptable boundaries of risk taking.

The risk appetite statement is a declaration by the board about the amount of risk the organization is willing to accept in pursuit of desirable outcomes (ARR, shareholder value, income, etc.). The risk appetite statement provides insight about the risk culture of the organization. An organization is more like to accept significant risk in the pursuit of strategic and business objectives as it operates closer to the risk aggressive end of the risk spectrum. It is more likely to avoid risk as it operates closer to the risk averse end of the risk spectrum. Executive leaders, not the CISO, should establish clear and actionable risk management guidance based on enterprise mission and business objectives. Response to risk is a business decision.

?

? CISOs are not corporate officers.

I threw this grenade on Easter Sunday (reference), so I will not take a deep dive on this component. A few additional insights were provided at the conference. The CISO can support appropriate responses, but the CISO cannot direct actions that take place or require specific spending and investment by business leaders. Building upon my previous article, I confirmed with insurance professionals and a major insurance broker that most state insurance commissioners do not recognize CISOs as corporate officers. This is important when considering who is accountable for what in an organization.

? There is a duty of care for cybersecurity that organizations must adopt.

Duty of care is a recognized legal standard that imposes obligations on people and organizations to adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. Security programs driven by compliance focus on checklists that ensure specific minimum necessary requirements are met. Security programs driven by the duty of care demand that “reasonable” security controls are put in place ensure that all necessary and appropriate action is taken to protect the stakeholders and customers of the organization as the highest priority. The DoCRA Standard is a good tool to drive the optimal approach. The practices outlined in NIST SP 800-39 reinforce the duty of care approach by activating a three-tier organizational structure that engages leaders at all levels of the organization to participate in management of information security risk. The risk of Caremark Claims reinforces the duty of board directors and corporate officers to provide risk oversight that prevents harms to customers and stakeholders though the application of personal liability for decision makers.

? Metrics support ongoing evaluation of performance, which leads to improvements in the execution of strategy.

Performance metrics should provide information that supports and justifies business decisions. The measurements that we use to measure performance in the security strategy make a difference because they communicate value, drive action, and influence behavior. I am not going to walk if the distance requires a car. I am not going to sit on a chair that will not support my weight unless I want it to collapse under the pressure. My age matters because it relates to things I am authorized to do: vote, drink alcohol, retire, draw a pension. Much of what security does is hard to quantify, so metrics that evaluate the right information and highlight impacts are the most effective to create a meaningful discussion about the relationship between security programs, the services they provide, the needs of the business, and ultimately, the effectiveness of the strategy and its execution. The Performance Measurement Guide for Information Security (NIST SP 800-55) is the best way to measure strategic performance at all levels of the three-tier corporate hierarchy. Per NIST, effective measures are quantifiable, readily obtainable, repeatable processes should be considered, and the metrics must be useful for tracking performance and directing resources.

H/T to friends who influenced and helped improve the content of the presentation: Karen Worstell, MA, MS Malcolm Harkins Caroline Wong and Laz .