Recently adopted Securities and Exchange Commission (SEC) rules on cybersecurity risk management mean many board directors are upskilling in this area. To that end, the National Association of Corporate Directors (NACD) recently brought together over 100 directors representing a mix of public, private, and nonprofit boards, spanning multiple industries, to increase knowledge of cyber risks and share strategies to improve oversight.
Speaking at the event, Sam Curry, Zscaler Chief Information Security Officer in Residence, who has both board and c-suite experience, shared his insights on some of the most challenging hurdles boards have to overcome, including navigating the SEC rules and bridging the communication gap between the board and management. Following the discussion, I sat down with Sam to capture some of his perspectives.
RS: Has the SEC rule on cybersecurity risk management, strategy governance, and incident disclosure adopted last year positively impacted the way that boards oversee cybersecurity?
SC: I think the answer is probably no, but it will. These things are meant to guide behavior and it’s not like it wasn't important before. There were absolutely rules around materiality and cyber incidents that would have required disclosures. This just outlined it much more specifically and gave it more guidance.
While it has changed some behaviors, it's far too soon to tell if it’s actually going to have a lasting effect and what sort of effect that will be and how it will play out over time. It's not like there's a single set of best practices we will all leap to as a result of this.
RS: How is the communication between security leaders and the board?
SC: A number of my colleagues have been saying “They're going to need us on boards,” and I say: “No, not just because of your cyber skills.” More people who are joining boards are getting cyber skills either as an addition to what they do, or perhaps because it's going to become more spread through the industry.
I think one of the biggest problems in cybersecurity is lack of alignment with the business. There isn't a lingua franca between the business side, directors, and the cybersecurity profession. Having said that, it is still risk management and that is something boards inherently understand, and the frequency of communication is going up.
RS: Directors are becoming more familiar with core cyber risk controls like multi-factor authentication and patch management, etc., but may be less familiar with zero trust. Can you briefly describe what zero trust is and why directors need to care?
SC: The simplest definition is zero trust is that it only allows what the business needs, when it needs it, for as long as it needs it.
It sounds very simple, but the hardest part is the word “only.” The way we've been doing IT and business services for a very long time has been to maximize connectivity, which leads to massive redundancy, massive over-provisioning, and complexity.
In the world of zero trust, we have less inherent trust in the network infrastructure. The default should be no access until it's actually needed, and then granted following a process of authenticating the user or application, and then taken away when it's no longer needed.
RS: What does that mean for network security?
SC: Architectural options like zero trust allow us to reduce the likelihood to something meaningfully small and ensure damage isn't catastrophic. You must still assume compromises are happening though, because that's what makes you lean in.
RS: What is your call to action for board members?
SC: The most important thing is trust internally. Ironically, you want zero trust in your infrastructure, but you want maximum trust in your people! I don't trust the green dashboard. If the whole thing is green, someone is hiding something or it's been polished to within an inch of its life.
Speaking as a board member of several boards, rather than just a cyber professional, I trust the person who brings red things to me because I know that person isn't hiding things and they want conversation. I will never penalize somebody for a red thing on a slide or a dashboard or a report. Quite the contrary, I'm going to give them more power. So I’d urge directors to create safe spaces to have the conversations.
What to read next
CXOs: Collaboration is key to public sector cybersecurity
CISOs, AI, and OT: A balancing act between innovation and protection
Unveiling the dark arts of exploiting trust