Time to Triple-Click on Cybersecurity
Class-LLC Cyber Strategy Retreat. Photo credit:

Time to Triple-Click on Cybersecurity

"Cybercrime groups have now become technologically on par with nation states, pooling their skills and resources to create for-profit cyber armies, significantly increasing their threat level." Ayman Al Issa, Jim Boehm, and Mahir Nayfeh

The past three weeks have provided a flurry of cyber news, cyber challenges and thoroughly disruptive global cyber events. In the age of permacrisis, the March 20, 2024 article from McKinsey & Company titled, "Boards of directors: The final cybersecurity defense for industrials" suggests the need for proactive engagement between boards and management teams to address the ever growing risk that cybercrime is wreaking across the globe. Cybercrime is estimated to drive over $10 trillion in annual costs globally. Link to article here: https://mck.co/4d0y2gL

The idea that board members need only ask great questions feels like an approach ill suited for the complex and quickly evolving cybersecurity environment that we find ourselves in. I called Paul Connelly, NACD-DC during a break in a recent CLASS-LLC executive cyber strategy certification program and asked, "How do you operationalize the resilience mindset and apply it to board governance?" He paused for a second and responded, "sounds like we need to go three clicks down the rabbit hole on this topic . . . "

Paul then reminded me that modern cybersecurity has evolved from defense (try to keep the bad stuff out) to both defense AND resiliency (withstand and recover). Sometimes the bad stuff will slip through your defenses and organizations need to prepare for those possibilities with a resilience mindset. The irony is that over 90% of small businesses fail following a cyberattack. Defense AND resiliency needs to become the standard conversation about cybersecurity, regardless of the size of your business.

So let's start with the end in mind. When thinking about good board governance in an environment of permacrisis and incredible technological disruption, what does it mean to triple-click on cybersecurity?

  • Click 1 - Adopt the "Always Be Learning" (ABL) mindset by engaging in board dialog, inviting outside expert presentations, attending conferences, participating in table top exercises and investing in topical coursework. Yes, ask thoughtful questions about the intersection of disruptive technologies and business strategy, but also question the answers. Good questions signal board interest, urgency and in many cases drives follow-up management action.
  • Click 2 - Understand the threat, technology, system, or disruption. This means aligning on a framework and developing a common language about the issue/risk/system and how it impacts your business. In factory operations, we would always ask, "Can you draw me a picture simple enough that I could explain this concept to my peers?" Alignment on framing requires iterative compare & contrast engagements with CISO and management team.
  • Click 3 - Embrace the Resilience mindset. Are my controls effective and how resilient are my systems and processes if compromised? Anticipate and Monitor the known threats, but preparing to Withstand, Recover and Adapt critical systems to the unknown threats.

Paul and I met when we worked together on developing a new executive cybersecurity course with the Educational Innovation team at Belmont University. (Link to the program here: https://www.belmont.edu/online/programs/cybersecurity/ ). Paul was the very first White House Cyber Security Officer and had spent over two decades as CISO and Chief Security Officer at HCA. We quickly discovered a shared passion for learning and deep appreciation for the evolving roles and responsibilities of boards when facing cyber threats that do not subscribe to the timing of the annual board calendar.

Three clicks down the rabbit hole

Click 1 - Always Be Learning (ABL)

All too often, the board governance lead story is that "board members should be asking great questions" about business performance, about risks and opportunities and about issues that find their way onto board agendas. As we talked about this article, Paul emphatically reminded me, "The evolving speed and disruptive nature of today's cyber threats requires board engagement beyond having and simply asking a list of great questions."

The speed of learning needed to address threats in an environment of permacrisis requires board/management engagement beyond a quarterly meeting cadence. That's why you often hear, "the real work of a board happens in committee." How boards structure committees to address cybersecurity (and new technologies) is and should remain the purview of board leadership. What's critical is that the committee work simply needs to get done.

Great questions are the first step of a robust learning process. I always try to frame questions that close the gap to understanding the "why" behind a decision or business outcome. Keyaan Williams ' Cyber Strategy Retreat provided a plethora of great questions that help close the gap to understanding the intersection of cybersecurity, business processes and board governance but more importantly, helped to shape my resilience mindset for future board discussions:

  • Can you describe where our critical business processes intersect with cybersecurity? Tia (Yatia) Hopkins
  • Do we have a master data management strategy that underlies our business process? Tia (Yatia) Hopkins
  • What mechanisms are the management team using to learn and share learnings about cybersecurity? Cross functional working groups are preferred. Laz .
  • Where is our data stored, processed and transmitted? How do we exchange data with 3rd party providers? How do we assure secure exchanges? Laz .
  • How do we evaluate, track and address third party software risk? Keyaan Williams
  • How do we track and monitor software end-of-life? Are we addressing software risks at a pace consistent with our risk appetite? Keyaan Williams
  • And as a bonus, my favorite quote on exploring AI, "You need to treat AI like an intern." Roger Babb

Adopting an ABL mindset requires investment beyond great questions. Cyber committee members should evaluate and develop a portfolio of learning opportunities for committee members as well as the full board. One of the best recommendations I've heard in a while came from Valerie Darling at the CLASS-LLC event in Atlanta. She recommended that any outside expert who speaks to the board about cybersecurity should have successfully navigated a cybersecurity event. Nothing better than sharing actual leadership scar tissue to bring real world risk and resilience more clearly into focus.

Laz, Tia, Caroline and Keyann! First Class keynote crew! Photo credit: Kevin Ames Photography


Click 2 - Frameworks and Common Language

The best place for learning, framing and language is with a community of practitioners. I teach a class on Intentional Networking at the Leavey Executive Center at Santa Clara University and share this thought with emerging board leaders, "You don't walk into the boardroom with just your experience, you walk into the boardroom with your network." When Paul and I explored the list of top business issues from the NACD Quarterly Survey, Q2 2024, I was really thrilled that we had developed a great learning relationship that started at Belmont University - Jack C. Massey College of Business and had extended into our work together with NACD Nashville . We continue to explore the question, "What can our NACD (National Association of Corporate Directors) chapter do to inform and educate Nashville's board governance executives in our largest industry (Healthcare Services, $70b annually) on cybersecurity risks and need for a robust resilience mindset?"

NACD Quarterly Survey Q2 2024


Over the past 2 years, I have intentionally grown my community of cybersecurity practitioners through engagement with Bob Zukis Digital Directors Network , J. Carlos Vega, CISSP The Wednesday Wee Dram (WWD), and my newest cyber-family Keyaan Williams CLASS-LLC . By engaging communities of committed cybersecurity practitioners, governance leaders learn language, frameworks and context to best execute on their fiduciary responsibilities to shareholders and stakeholders alike.

One other friendly reminder from Paul, this isn’t a campaign to “Friend a CISO.” Authentic triple-clicking on cybersecurity means continuous learning, understanding key frameworks, language and evolving approaches and finally, investing in a community of trusted, go-to resources who are continually comparing notes on evolving threats and resilience best practices.

The most effective board governance leaders are masters of pattern recognition. The pattern that I began to see over and over in these communities of cybersecurity professionals was that of a relentless continuous improvement mindset, laser focused on speeding up and sharing learning cycles. Very similar to factory operations, cybersecurity leaders like Laz . created peer networks asking the question,"What problem are we trying to solve today?" Very similar to factory operations, cybersecurity peer networks process mapped and explored root cause to problem solve inside of the TAKT time of global networks of cybercriminals. I quickly learned to appreciate and respect their resilience mindset--anticipating future threats, implementing standards, embracing failure, learning quickly, sharing learnings broadly and deploying new controls to counter the relentless onslaught of new threat vectors.

What I am hearing less and less of are comments between cyber and board governance communities to the effect, "that's too technical" or the mythical "they just wouldn't understand." Sometimes it takes smashing two (or more) learning communities together to build common language and frameworks for effective and efficient problem solving.

One of the best recent examples was Bob Zukis and the BRFO SEC Cybersecurity Incident to Materiality Determination Process that his team created and quickly improved in the weeks following the SEC publishing the Cybersecurity Incident Disclosure Rule. Cyber incident 8-K's would improve dramatically if companies integrated the BRFO framework into materiality discussions. Info on the DDN materiality masterclass found here: https://bit.ly/3A2dw0K . Link to a .pdf of the BRFO model here: https://bit.ly/3LJSDdw

DDN BRFO Incident to Materiality Determination Process v6


If you want to explore other cybersecurity frameworks prior to your next committee/board meeting or conversation with the management team, here are a few recommendation:

  • National Institute of Standards and Technology (NIST). NIST provides guidelines, frameworks and standards (1,419 articles as of at 7/28/2024) to help organizations manage and reduce cybersecurity risk. Examples include the Cybersecurity Framework (CSF) and various Special Publications (SP) to lose a weekend or two exploring. https://www.nist.gov/publications/search?ta%5B0%5D=248731
  • Center for Internet Security Controls (CIS) Volume 8.1. Provides a prioritized set of actions to protect organizations and data from known cyber-attack vectors. https://www.cisecurity.org/controls
  • Information Technology Infrastructure Library (ITIL). Set of best practices and guidelines for managing IT services and processes within an organization. It's structured around the service lifecycle. https://www.ibm.com/topics/it-infrastructure-library
  • Software Assurance Maturity Model (SAMM). Open framework designed to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. https://owasp.org/www-project-samm/
  • Digital Directors Network , specifically the The Definitive Boardroom Guide on Cybersecurity Governance: The DOMINO Guide. Link here: https://bit.ly/3WHcaRO
  • Cybersecurity and Infrastructure Security Agency (CISA). As part of the Department of Homeland Security, CISA works to understand, manage, and mitigate risk to the nation's cyber and physical infrastructure in the public and private sector. Every CISO should know and connect with their CISA Regional Director. https://www.cisa.gov/about/regions

Click 3 - Embrace the Resilience Mindset

Tia (Yatia) Hopkins is a Cybersecurity Resilience Mindset Evangelist. We originally met at a Leavey Executive Center at Santa Clara University event in Los Angeles in 2022 and I was thrilled that she was one of the keynote speakers at the CLASS-LLC 2024 Cyber Strategy Retreat.

Tia's talk kicked off an incredible two days of learning by diving deeply into NIST 800-160 Volume 2 Revision 1, "Developing Cyber Resilient Systems: A Systems Security Engineering Approach," a standard that provides guidance on designing, developing and deploying systems that are resilient to cyber-attacks. Link here: https://bit.ly/3LIdq0N

She eloquently walked through the key concepts of the framework: Anticipate, Withstand, Recover & Adapt.

Anticipate - Maintain a state of informed preparedness for adversity.

  • How does our organization proactively identify and assess potential AI-related risks and vulnerabilities? What processes are in place to ensure that we stay ahead of emerging threats and opportunities in AI technology?

Withstand - Continue essential mission or business functions despite adversity.

  • What measures have we implemented to ensure our AI systems are resilient against cyber attacks? Are there specific protocols or redundancies in place to protect our AI infrastructure?

Recover - Restore mission or business functions during and after adversity.

  • Do we have a comprehensive incident response plan tailored to AI-related cybersecurity incidents? How frequently is this plan tested and updated to ensure swift recovery and continuity of operations?

Adapt - Modify mission or business functions and/or supporting capabilities in response to predicted changes in the technical, operational, or threat environments.

  • How does our organization incorporate lessons learned from past AI-related incidents to improve our resilience? What mechanisms are in place to ensure that our AI strategies remain flexible and adaptive to new challenges and opportunities?

Our table discussions were quite robust and new questions emerged.

  • Do you have a master data management strategy as the foundation of your business systems strategy?
  • Have you identified critical business systems? If so, what measures have we implemented to ensure that said systems can withstand and recover from cyber attacks?"
  • How frequently is the resilience plan tested, evaluated and improved upon?
  • Are you tracking key data trends (performance over time) or just providing process snapshots?
  • How are you educating employees about existing threats and their responsibilities for protecting company assets?
  • Are you investing in resilience or just protection?

Keyaan Williams from Class-LLC Photo Credit: Kevin Ames Photography


Final Reflections

That last couple of weeks have provided no shortage of opportunities to consider the benefits of a cybersecurity resilience mindset!

Crowdstrike issued its 8-K (https://ir.crowdstrike.com/node/13361/html )with follow-up from hactivist entity USDoD claiming on its English-language cybercrime form BreachForums to have leaked CrowdStrike's "entire threat actor list." Link to article here: https://bit.ly/3Wk4jbL . Don't let a good crisis go to waste! Engage your board and management team and assess their cybersecurity resilience mindset.

There are ton of upcoming NACD (National Association of Corporate Directors) events focused on board governance, AI and cybersecurity. Definitely looking forward to attending panels on these topics at the the NACD Director's Summit in October! Event information found here: https://bit.ly/3zXZe13

All are welcome to attend NACD Nashville 's August 21's virtual event, "The Board Compass: Navigating AI Governance and Strategy, moderated by our own Paul Connelly, NACD-DC . We're super luck to have Jeffrey Saviano and Rashida Hodge as panelists. Register here: https://bit.ly/4doey5P

Finally, develop your own learning community around cybersecurity. I found that attending the Digital Directors Network #Domino event year two was radically different than my year one experience (https://bit.ly/4fliBS4 ). My understand of cybersecurity language, frameworks and mindset has evolved as my learning community grows. Plugging into new networks via the Leavey Executive Center at Santa Clara University and CLASS-LLC programs are continuing to shape and expand my understanding of the intersection of board governance and cybersecurity.

So get your three-clicks logged at the intersection of cybersecurity and board governance! Any governance leader who hasn't invested time into these topics prior to a cybersecurity event always seem to find the time DURING/AFTER a cybersecurity event!

Michael Barnes Jeremy Wright, CLCS Greg Miller Henry Miller Lori Dyne (She/Her) William "Bill" Jones, NACD.DC Corporate Directors Forum Cynthia Falardeau Teresa Sebastian, NACD.DC Fay Feeney Nashville Area Chamber of Commerce Israel Rollins, NACD.DC Edward Littlejohn, MPH Nashville Health Care Council Lydie Marc Anita Lynch Lawrence X. Taylor NACD.DC Andrew Shea Graeme Payne Thane Kreiner, PhD Dennis Lanham Gary Garrison Joyce Searcy Cybersecurity and Infrastructure Security Agency Dr. Keri P. #cybersecurity #domino2025

Photo credit: https://kevinamesphotography.com



Exciting to see such collaboration in the Cybersecurity community! The "Resiliency Mindset" is crucial for navigating these evolving challenges. What specific strategies do you think will be most effective for leaders?

回复
Raquel Brigham Brown, MBA

Board Director| AI/Cyber,Audit, Human Capital/Compensation, ESG, Executive & Nom/Gov Committees

3 个月

Ed Magee thank you for your insights that apply well beyond cyber,"The idea that board members need only ask great questions feels like an approach ill suited for the complex and quickly evolving cyber environment." Your insight is a paradigm lift for our Leadership role to be value adding effective directors.

回复
Steven Tolbert

Board Member | Strategist | Audit Committee Qualified Financial Expert | Transformative Leader | C-Suite Executive | Former Institutional and Private Equity Investor | Connector

3 个月

Thank you for this comprehensive summary Ed.

Valerie Darling

Board Director | C-Suite | Global Healthcare Biotechnology Commercial Executive | EBITDA Revenue Growth | Strategy | Sales | Marketing | LatinX | Multilingual | Transformational Leader | Cybersecurity | AI

3 个月

Great article and summation of many #cybersecurity, #AI, and #risk experts and resources, Ed! Thank you for quoting me in it; since cybersecurity threats are the #1 concern of boards per the NACD (National Association of Corporate Directors) Q2 Report with AI #5, I believe there is great value in outside #board consultants, especially those who have managed through a major incident for “actual” examples. As we sat together at the CLASS-LLC Cyber Strategy certification to share best practices for boards, we learned Tia (Yatia) Hopkins’ Resiliency Mindset (and I will adopt Paul Connelly, NACD-DC’s excellent advice here) - “anticipating future threats, implementing standards, embracing failure, learning quickly, sharing learnings broadly and deploying new controls to counter the relentless onslaught of new threat vectors”. Bravo!

要查看或添加评论,请登录

社区洞察

其他会员也浏览了