EDITOR'S PICK
Between boards and technology executives, cyber risk is a shared responsibility
Nov 30, 2023
The need for cyber risk awareness and oversight by boards and executive management is critical. But simply knowing about risk is not enough.
Amid today’s digitized business environment and treacherous threat landscape, the need for cyber risk awareness and oversight by boards and executive management is critical. But simply knowing about risk is not enough. Establishing a practical and actionable framework for improving an organization’s cyber risk posture demands clearly defining roles and responsibilities and close collaboration between technology and business leaders.
Last week, I hosted the second Executive Connect Live, The Board’s Role in Managing Cyber Risk, which was meant to address the role of the board and the executive team in managing cyber risk. The panel interview was rich with lessons and insights by two industry-leading voices in cybersecurity and digital transformation: Andy Brown, CEO of Sand Hill East, a member of the Zscaler Board of Directors, and author of the book Cybersecurity: 7 Steps for Boards of Directors; and Sam Curry, VP and CISO in Residence at Zscaler.
A recurring theme in our conversation was that of shared responsibility. Many board members understand that they share the responsibility of cybersecurity risk, but they are unsure how to take action. The conversation was valuable for board members wondering how they can better execute their roles and for CISOs and other CXOs involved in managing business risk.
Cybersecurity is a team effort
Curry pointed out that CISOs don’t always use the same language and metrics of risk as their peers in finance, operations, legal, and sales. Often, CISOs have come up through the ranks and are well-versed in security risk but are not as savvy about business, so there is a lack of inter-departmental alignment.
He explained that CISOs must understand that their job is to close the gap between cybersecurity and the business and to build lateral support among the departments. “As a CISO, you’ll have to become a business person,” Curry said. CISOs need to demonstrate that they care about things like cost, customer satisfaction, and employee efficiency while giving other executives a chance to own a piece of cybersecurity.
The importance of practice
We then talked about how tabletop exercises and scenario planning play an essential role in training executives and boards to work together in a crisis situation and prioritize actions when an incident occurs. These discussions give teams the opportunity to collaborate, practice reasoning, and decide on a course of action. They also help teams determine who should run point in a crisis.
Brown says the goal is defining a process detailing how they will engage and respond in a crisis—especially if the tools that the teams are accustomed to using become disabled or unavailable.
Take the classic conundrum of whether to pay a ransom, for instance. Teams need to know the relevant laws and consider what circumstances may require a ransom payment, such as if human lives are at risk in a hospital or nuclear power plant. These issues and contingencies should be thoroughly explored before the time comes to act.
The plain truth: Boards must become more cyber-aware
In the age of generative AI and deep fakes, boards need to look at their own constitution and decide whether a cyber expert or advisor is needed. Curry’s assessment was that we’re going to see even more sophisticated phishing and social engineering attempts, so boards should up-level their knowledge of cyber risks—perhaps through cyber literacy courses—so they can ask the right questions.
Brown and Curry offered the following questions for boards overseeing cybersecurity risks that can be posed to CISOs.
- What are the crown jewels of the business? How are we protecting them? How consistently can we protect them?
- What is the impact of risk on compliance, especially Securities and Exchange Commission (SEC) cyber disclosure rules?
- What controls do we have? Can you provide evidence that we have applied those controls and to what extent?
- Where are we on a security maturity scale?
- Do we have objectives for improving our security maturity?
- What is the cybersecurity program accomplishing? What is it focused on, and why?
- What are the process maturity metrics, and where do we want to get to?
- What does improvement look like? What does ineffectiveness look like?
- How do we know that the program is successful and that it’s time to realign our strategy?
- How are we going to handle improvements in language when it comes to social engineering attacks?
Focus on improving, not comparing
I asked Brown and Curry how they view the role of cybersecurity maturity assessments, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST), and whether boards and the executive leadership team should be familiar with them.
Curry’s perspective is that these are good tools for conducting self-assessments, but when sitting in a peer group, he says more value can be derived from the Information Sharing and Analysis Centers (ISACs) and by focusing on improving rather than on comparing.
Brown agreed that, although there is value in understanding how the team stands in comparison to its peers, it’s more important to focus on how the team is doing against the bad guys. To accomplish that, organizations need to have improvement programs that benchmark against all of the things they want to improve.
Brown views it as a type of infinite game: it’s a mindset of constant improvement. For example, user awareness training can greatly combat advanced phishing and deep fake technology—but it’s important to continue training and testing employees.
Process maturity is critical
This concept of constant improvement circles back to Curry’s point about CISOs needing to see themselves as businesspeople first and foremost. Part of that change in perspective involves improving cybersecurity process maturity until these are standardized and documented across the organization.
Curry brought up that legal consequences are at stake during a crisis. For instance, when teams communicate in writing, it becomes part of the record. Many cybersecurity people tend to overstate problems when they’re trying to make a point, so teams should get in the habit of convening and having a discussion before anything written becomes part of the discoverable record. Teams should include the legal department in their tabletop simulations to define processes around what and how things are communicated.
Zero trust as a framework for managing cyber risk
We discussed where zero trust comes into play and its importance in managing and mitigating cyber risk. Brown remarked that the zero trust architecture is an organization's most important initial approach from a defense perspective. The concept of lateral movement is key to understanding zero trust.
Curry observed that “trust is proportional to risk,” so if an organization has an environment where trust is minimized, the risk is minimized by default. Once an organization has made this transformation, security decisions become much more visible to the whole organization, including the board.
The key takeaway for me is that board members and executive leadership teams ultimately play a critical role in ensuring cyber risk hygiene in their organization’s proper practices and governance. They can help establish a much better and more resilient cybersecurity and risk management culture within their organization.
What to read next:
Cybersecurity: Seven Steps for Boards of Directors [eBook]
Recommended