Time to Triple-Click on Cybersecurity
"Cybercrime groups have now become technologically on par with nation states, pooling their skills and resources to create for-profit cyber armies, significantly increasing their threat level." Ayman Al Issa, Jim Boehm, and Mahir Nayfeh
The past three weeks have provided a flurry of cyber news, cyber challenges and thoroughly disruptive global cyber events. In the age of permacrisis, the March 20, 2024 article from McKinsey & Company titled, "Boards of directors: The final cybersecurity defense for industrials" suggests the need for proactive engagement between boards and management teams to address the ever growing risk that cybercrime is wreaking across the globe. Cybercrime is estimated to drive over $10 trillion in annual costs globally. Link to article here: https://mck.co/4d0y2gL
The idea that board members need only ask great questions feels like an approach ill suited for the complex and quickly evolving cybersecurity environment that we find ourselves in. I called Paul Connelly, NACD-DC during a break in a recent CLASS-LLC executive cyber strategy certification program and asked, "How do you operationalize the resilience mindset and apply it to board governance?" He paused for a second and responded, "sounds like we need to go three clicks down the rabbit hole on this topic . . . "
Paul then reminded me that modern cybersecurity has evolved from defense (try to keep the bad stuff out) to both defense AND resiliency (withstand and recover). Sometimes the bad stuff will slip through your defenses and organizations need to prepare for those possibilities with a resilience mindset. The irony is that over 90% of small businesses fail following a cyberattack. Defense AND resiliency needs to become the standard conversation about cybersecurity, regardless of the size of your business.
So let's start with the end in mind. When thinking about good board governance in an environment of permacrisis and incredible technological disruption, what does it mean to triple-click on cybersecurity?
Paul and I met when we worked together on developing a new executive cybersecurity course with the Educational Innovation team at Belmont University. (Link to the program here: https://www.belmont.edu/online/programs/cybersecurity/ ). Paul was the very first White House Cyber Security Officer and had spent over two decades as CISO and Chief Security Officer at HCA. We quickly discovered a shared passion for learning and deep appreciation for the evolving roles and responsibilities of boards when facing cyber threats that do not subscribe to the timing of the annual board calendar.
Three clicks down the rabbit hole
Click 1 - Always Be Learning (ABL)
All too often, the board governance lead story is that "board members should be asking great questions" about business performance, about risks and opportunities and about issues that find their way onto board agendas. As we talked about this article, Paul emphatically reminded me, "The evolving speed and disruptive nature of today's cyber threats requires board engagement beyond having and simply asking a list of great questions."
The speed of learning needed to address threats in an environment of permacrisis requires board/management engagement beyond a quarterly meeting cadence. That's why you often hear, "the real work of a board happens in committee." How boards structure committees to address cybersecurity (and new technologies) is and should remain the purview of board leadership. What's critical is that the committee work simply needs to get done.
Great questions are the first step of a robust learning process. I always try to frame questions that close the gap to understanding the "why" behind a decision or business outcome. Keyaan Williams ' Cyber Strategy Retreat provided a plethora of great questions that help close the gap to understanding the intersection of cybersecurity, business processes and board governance but more importantly, helped to shape my resilience mindset for future board discussions:
Adopting an ABL mindset requires investment beyond great questions. Cyber committee members should evaluate and develop a portfolio of learning opportunities for committee members as well as the full board. One of the best recommendations I've heard in a while came from Valerie Darling at the CLASS-LLC event in Atlanta. She recommended that any outside expert who speaks to the board about cybersecurity should have successfully navigated a cybersecurity event. Nothing better than sharing actual leadership scar tissue to bring real world risk and resilience more clearly into focus.
Click 2 - Frameworks and Common Language
The best place for learning, framing and language is with a community of practitioners. I teach a class on Intentional Networking at the Leavey Executive Center at Santa Clara University and share this thought with emerging board leaders, "You don't walk into the boardroom with just your experience, you walk into the boardroom with your network." When Paul and I explored the list of top business issues from the NACD Quarterly Survey, Q2 2024, I was really thrilled that we had developed a great learning relationship that started at Belmont University - Jack C. Massey College of Business and had extended into our work together with NACD Nashville . We continue to explore the question, "What can our NACD (National Association of Corporate Directors) chapter do to inform and educate Nashville's board governance executives in our largest industry (Healthcare Services, $70b annually) on cybersecurity risks and need for a robust resilience mindset?"
Over the past 2 years, I have intentionally grown my community of cybersecurity practitioners through engagement with Bob Zukis Digital Directors Network , J. Carlos Vega, CISSP The Wednesday Wee Dram (WWD), and my newest cyber-family Keyaan Williams CLASS-LLC . By engaging communities of committed cybersecurity practitioners, governance leaders learn language, frameworks and context to best execute on their fiduciary responsibilities to shareholders and stakeholders alike.
One other friendly reminder from Paul, this isn’t a campaign to “Friend a CISO.” Authentic triple-clicking on cybersecurity means continuous learning, understanding key frameworks, language and evolving approaches and finally, investing in a community of trusted, go-to resources who are continually comparing notes on evolving threats and resilience best practices.
The most effective board governance leaders are masters of pattern recognition. The pattern that I began to see over and over in these communities of cybersecurity professionals was that of a relentless continuous improvement mindset, laser focused on speeding up and sharing learning cycles. Very similar to factory operations, cybersecurity leaders like Laz . created peer networks asking the question,"What problem are we trying to solve today?" Very similar to factory operations, cybersecurity peer networks process mapped and explored root cause to problem solve inside of the TAKT time of global networks of cybercriminals. I quickly learned to appreciate and respect their resilience mindset--anticipating future threats, implementing standards, embracing failure, learning quickly, sharing learnings broadly and deploying new controls to counter the relentless onslaught of new threat vectors.
What I am hearing less and less of are comments between cyber and board governance communities to the effect, "that's too technical" or the mythical "they just wouldn't understand." Sometimes it takes smashing two (or more) learning communities together to build common language and frameworks for effective and efficient problem solving.
One of the best recent examples was Bob Zukis and the BRFO SEC Cybersecurity Incident to Materiality Determination Process that his team created and quickly improved in the weeks following the SEC publishing the Cybersecurity Incident Disclosure Rule. Cyber incident 8-K's would improve dramatically if companies integrated the BRFO framework into materiality discussions. Info on the DDN materiality masterclass found here: https://bit.ly/3A2dw0K . Link to a .pdf of the BRFO model here: https://bit.ly/3LJSDdw
If you want to explore other cybersecurity frameworks prior to your next committee/board meeting or conversation with the management team, here are a few recommendation:
领英推荐
Click 3 - Embrace the Resilience Mindset
Tia (Yatia) Hopkins is a Cybersecurity Resilience Mindset Evangelist. We originally met at a Leavey Executive Center at Santa Clara University event in Los Angeles in 2022 and I was thrilled that she was one of the keynote speakers at the CLASS-LLC 2024 Cyber Strategy Retreat.
Tia's talk kicked off an incredible two days of learning by diving deeply into NIST 800-160 Volume 2 Revision 1, "Developing Cyber Resilient Systems: A Systems Security Engineering Approach," a standard that provides guidance on designing, developing and deploying systems that are resilient to cyber-attacks. Link here: https://bit.ly/3LIdq0N
She eloquently walked through the key concepts of the framework: Anticipate, Withstand, Recover & Adapt.
Anticipate - Maintain a state of informed preparedness for adversity.
Withstand - Continue essential mission or business functions despite adversity.
Recover - Restore mission or business functions during and after adversity.
Adapt - Modify mission or business functions and/or supporting capabilities in response to predicted changes in the technical, operational, or threat environments.
Our table discussions were quite robust and new questions emerged.
Final Reflections
That last couple of weeks have provided no shortage of opportunities to consider the benefits of a cybersecurity resilience mindset!
Crowdstrike issued its 8-K (https://ir.crowdstrike.com/node/13361/html )with follow-up from hactivist entity USDoD claiming on its English-language cybercrime form BreachForums to have leaked CrowdStrike's "entire threat actor list." Link to article here: https://bit.ly/3Wk4jbL . Don't let a good crisis go to waste! Engage your board and management team and assess their cybersecurity resilience mindset.
There are ton of upcoming NACD (National Association of Corporate Directors) events focused on board governance, AI and cybersecurity. Definitely looking forward to attending panels on these topics at the the NACD Director's Summit in October! Event information found here: https://bit.ly/3zXZe13
All are welcome to attend NACD Nashville 's August 21's virtual event, "The Board Compass: Navigating AI Governance and Strategy, moderated by our own Paul Connelly, NACD-DC . We're super luck to have Jeffrey Saviano and Rashida Hodge as panelists. Register here: https://bit.ly/4doey5P
Finally, develop your own learning community around cybersecurity. I found that attending the Digital Directors Network #Domino event year two was radically different than my year one experience (https://bit.ly/4fliBS4 ). My understand of cybersecurity language, frameworks and mindset has evolved as my learning community grows. Plugging into new networks via the Leavey Executive Center at Santa Clara University and CLASS-LLC programs are continuing to shape and expand my understanding of the intersection of board governance and cybersecurity.
So get your three-clicks logged at the intersection of cybersecurity and board governance! Any governance leader who hasn't invested time into these topics prior to a cybersecurity event always seem to find the time DURING/AFTER a cybersecurity event!
Michael Barnes Jeremy Wright, CLCS Greg Miller Henry Miller Lori Dyne (She/Her) William "Bill" Jones, NACD.DC Corporate Directors Forum Cynthia Falardeau Teresa Sebastian, NACD.DC Fay Feeney Nashville Area Chamber of Commerce Israel Rollins, NACD.DC Edward Littlejohn, MPH Nashville Health Care Council Lydie Marc Anita Lynch Lawrence X. Taylor NACD.DC Andrew Shea Graeme Payne Thane Kreiner, PhD Dennis Lanham Gary Garrison Joyce Searcy Cybersecurity and Infrastructure Security Agency Dr. Keri P. #cybersecurity #domino2025
Photo credit: https://kevinamesphotography.com
Exciting to see such collaboration in the Cybersecurity community! The "Resiliency Mindset" is crucial for navigating these evolving challenges. What specific strategies do you think will be most effective for leaders?
Board Director| AI/Cyber,Audit, Human Capital/Compensation, ESG, Executive & Nom/Gov Committees
3 个月Ed Magee thank you for your insights that apply well beyond cyber,"The idea that board members need only ask great questions feels like an approach ill suited for the complex and quickly evolving cyber environment." Your insight is a paradigm lift for our Leadership role to be value adding effective directors.
Board Member | Strategist | Audit Committee Qualified Financial Expert | Transformative Leader | C-Suite Executive | Former Institutional and Private Equity Investor | Connector
3 个月Thank you for this comprehensive summary Ed.
Board Director | C-Suite | Global Healthcare Biotechnology Commercial Executive | EBITDA Revenue Growth | Strategy | Sales | Marketing | LatinX | Multilingual | Transformational Leader | Cybersecurity | AI
3 个月Great article and summation of many #cybersecurity, #AI, and #risk experts and resources, Ed! Thank you for quoting me in it; since cybersecurity threats are the #1 concern of boards per the NACD (National Association of Corporate Directors) Q2 Report with AI #5, I believe there is great value in outside #board consultants, especially those who have managed through a major incident for “actual” examples. As we sat together at the CLASS-LLC Cyber Strategy certification to share best practices for boards, we learned Tia (Yatia) Hopkins’ Resiliency Mindset (and I will adopt Paul Connelly, NACD-DC’s excellent advice here) - “anticipating future threats, implementing standards, embracing failure, learning quickly, sharing learnings broadly and deploying new controls to counter the relentless onslaught of new threat vectors”. Bravo!