Crucial Questions from CEOs and Boards
Updated: Aug 24, 2022
Over the past few years I have done a lot of speaking at conferences, events and small group settings for Board directors and corporate executives (CEOs, CFOs, Chief Risk Officers, Legal, Compliance, Audit and others). The time I spend with these groups has been increasing which is a great signal of interest. As a result, the time I spend on similar engagements overall is now split into roughly 4 equal segments:
Corporate executives and Boards
CIOs/CTOs and other IT leadership
CISOs and security teams
Government officials and regulators
All of these interactions are very instructive and the questions and concerns can be quite distinct. Over the next 4 posts I'm going to cover the most common questions from each of those groups with my typical answers. I’ll start with the common questions from corporate executives and Boards.
To be clear, these aren’t the questions necessarily asked in Board meetings I present to, or executive meetings I attend. Rather, these are the questions typically asked when I meet people in such roles in informal settings and they just ask questions to be personally informed. The level of detail of my responses, of course, depends on the audience. So, the point of these posts is not to give you the content of the answers (much of which you will likely know), or to present an exhaustive list of questions and answers for all topics. The point is to give you a flavor of what these groups are asking as it reveals some insights into their concerns and challenges.
1. Current Risk and Threat Outlook
There's a lot going on in the world, can you give us a quick grand tour of the cyber threat landscape?
Naturally this answer varies depending on the current geo-political and other threat outlook as well as what events might have been prominent in their particular industry or geography, but essentially the answers are:
Nation states and organized criminal groups remain the most prominent of threat actors, often with a blurring of lines between the two categories.
Motivations of threat actors range across economic and other forms of espionage, disruption/destruction for geo-political influence, extortion, fraud and other forms of monetary gain - including continued pressure from ransomware. There are some small activist threats which occasionally pop up.
While there are a cluster of most significant nations with cyber threat activity as well as concentrations of cyber-criminal activity in certain geographies, increasingly threats are becoming globally spread, commoditized and dispersed (global to global, global to local, local to local).
Threats can be targeted or opportunistic. You might become a target but more often you will be a victim of an opportunistic attack. The nature and intensity of the defenses you need for either approach are different.
Organized criminal groups continue to rise in sophistication and the world’s increased digital attack surface gives them a bigger playground.
We are all scoring victories that largely go unreported that make life harder for attackers. Many organizations have worked hard to impose costs on attackers in various ways recognizing that attackers have bosses and budgets too.
It is also important to manage insider threats, not just employees or contractors acting deliberately or opportunistically for gain or causing harm because of disgruntlement - but more importantly focus on the different threat of otherwise trusted insiders being extorted or coerced by external threat actors. Recognize that the types of mitigation efforts for those two different types of insider risk need different approaches.
Finally, you should expect from a number of nation state threat actors the potential for disinformation to be used alongside attacks to create broader market impact and fear. For example, imagine one company in your sector being truly breached, but then the threat actor seeds disinformation that you and everyone else is similarly compromised. Doing a breach response for real is different from conducting a response to a claimed breach that really isn’t, especially against a top tier threat actor that is adept at information operations.
2. How are Companies Positioned?
Are companies always playing defense and catch-up, is there an end to this?
Many Boards and executives increasingly understand that this is a never ending risk management effort, but for many it also still feels like this is something that should end but never seems to. Some organizations take this in their stride, but for others there is a palpable sense of fatigue. I address this in this way:
The threats remains serious and will always be there so we have to treat this just like any other corporate risk management or control process. It’s always going to be with us and the quicker organizations can instill that and seek competitive advantage from enhancing approaches to this while also improving customer experience and agility will be the better for it.
Overall, I am short term pessimistic but long term optimistic in that there are many successful examples of ongoing sustained defensive success, with more coming. But this is always going to be an arms race between attackers and defenders, much like many other parts of risk management such as fraud, physical theft and so on.
But, let’s take a step back and remember, cyber is not the only risk, it might not even be the actual major risk for many companies but it is of course potentially more existential. I make this point to remind us that good controls can mitigate many risks, including cyber, and investing in modernizing and sustaining your technology platforms so that security is built in, not bolted on is highly effective.
Similarly, it can be a mistake to only invest in cybersecurity controls while neglecting broader technology upgrades and modernization, this would be like building on a foundation of sand. You have to manage this as a portfolio of risks. On a positive note, companies that have the best cyber defenses and track record also typically have the most modern IT platforms, the best agility, the best technology risk mitigation overall and deliver significant business or mission advantage from this.
3. Is Cloud More Secure than prior IT?
Is cloud more secure than traditional on-premise IT, what's the future here and how should companies select vendors in all this uncertainty?
It is becoming generally well accepted that a well configured cloud environment, or on-premise cloud-like modernized IT environment, is more secure than typical on-premise environments, especially legacy on-premise. There is, however, still some uncertainty for many Boards and executives that have seen some of the headline misconfiguration related breaches in recent years. So it is important to treat this as a serious question:
Cloud (or at least a good cloud) that is configured in the right way is typically more secure than most on-premise IT environments. But there is nuance in that you can have a badly configured cloud implementation that creates many issues. You can also create a well maintained highly secure on-premise environment.
But in general cloud is easier to secure and keep secure compared to on-premise environments, especially those that have significant build up of older generations of technology where security was simply not built in. Implementation of segmentation, encryption, secure boot, role based access, speedier patching and many other important security mechanisms typically come as defaults, or are easy to enable. You might be able to put these controls into a traditional on-premise environment but it comes at significant actual and opportunity cost.
Cloud is going to keep getting more secure because of competitive pressure, economy of scale, the tight feedback loop of product improvements (what you might call a digital immune system) as well as the inherent software defined nature of the environment liberates technology teams to implement more stringent and continuously monitored controls without sacrificing agility and productivity.
4. Enterprise Risk Management
How should organizations think about managing cyber risk with all their other risks - what's the efficient frontier here? Is this a technology problem or a business problem or both?
This question comes from organizations, and their Boards or executives, that have moved up the maturity scale and are thinking how to manage the inter-play between their various enterprise risks in more effective ways. They realize a strong need to break down silos between IT, security, risk, compliance and their business units. They want to make sure security is a competitive edge or at least not a drag on enterprise objectives, mission or customer service - all the while avoiding major risk impact. Sometimes this is a hard question to answer specifically because the nature of the what they need to know depends on the configuration of their organization as well as their culture, but it typically encompasses:
Some people will tell you security is a business problem not a technology problem. This is true, of course, in that security needs to be a business priority and failure has real business repercussions. But, at another level it's wrong to assert it’s also not a technology problem, in that the controls you want need to be implemented in your technology platforms, across your supply chain and upstream to your customers through digital channels.
You also need to place this into an overall portfolio of other business risks from strategic, supply chain logistics, product development, people and technology, and many others. Managing this as a first class risk in your overall operational risk framework is vital.
In fact, this is why I’m against having too much governance structure exclusively focused on cybersecurity. Having a “Cybersecurity Committee” might seem a strong signal of commitment to the risk, but, if you’re not careful you get a side effect that all discussions of cyber are relegated there and so cyber is not discussed as a core part of the business or technology strategy. Remember the goal is secure products, not just security products, and that is driven by integration not separation.
So think about three objectives:
Enterprise integration: embed security / technology risk into all your processes from strategy, budgeting, product development to people / talent assessment and beyond.
Technology integration: embed security into technology, built in not bolted on. Make it an intrinsic incentivized part of how all systems, products, and software is built and how all suppliers and external dependencies are rated.
Resilience and recovery: no matter how good you are, something will go wrong. Your success and reputation will depend on how you respond, and this is dependent on the muscle memory you have developed through drills and exercises.
Fundamentally, you are managing a portfolio of risks. This is an optimization problem of how you balance cost and opportunity cost vs. the risk and reward of business or mission activities. It might actually be that the best target for that next $X of expenditure is not on cyber but perhaps on some other technology or even broader business control risk mitigation. It might even be best to spend that $X on keeping risk levels the same but refactoring existing controls to improve productivity, agility, or customer experience.
5. Board Conversations
What is the right security conversation a Board should have? What should they be asking the CEO, the CIO, the CISO?
Many Boards and executive teams spend a lot of time thinking about the health of the interaction between the Board, the executive team and other levels of management. They are often adept at thinking about such alignment and so this is a common question, sometimes from a sense that they’re not getting it right and that improvements are needed. So, the answers to these questions, again, follow a common pattern of the need for integration:
Boards need to be more confident in challenging management on cybersecurity and technology risk and should think of this as less of a “dark art”. In reality Board or executive management should be able to ask and get a reasonable answer to the compound question: what are our most critical assets and business processes, what risks do they face and how do we mitigate those, how do we monitor that risk mitigation to make sure it remains effective and who and how has deemed any residual risk acceptable? Finally, how do we independently challenge this to make sure we’re not getting too comfortable?
But above all the Board, CEOs and other executives should be asking some more leading questions about technology/ digital capability not just lagging indicators of cyber performance. For example, what percentage of your software is continuously rebuilt and deployed? Yes, that sounds a bit in the weeds, but it’s only like asking a CFO if they have all the company accounts in one place and reconciled regularly. This is important because if you don’t know how well your software is controlled and you can’t routinely build and deploy it then you have limited agility, inability to drive security improvements with acceptable operating risk and many other factors that are crucial to cybersecurity.
There are many other examples including: did you really test your backups, what are the plausible but severe scenarios for which you can’t recover from, what lessons can be learnt from conducting regular incident or close-call reviews, paying attention to where you got lucky.
Finally, while you do need some cyber expertise on your Board, be careful if you do that the rest of the Board don’t abdicate their oversight responsibility.
6. Personal Wishful Thinking
You've had experience on both sides of the Board room, what do you wish you'd have done better either as a Board Director or a Chief Risk Officer / Chief Information Security Officer?
We talk a lot about using security to deliver business enablement, is that viable?
Boards and executives, even if they think they might have it right, inevitably want to learn from other organizations and people, especially those that have been in their seats. Fortunately (or unfortunately, I guess) I have some lessons learnt to impart:
As a Chief (Operational) Risk Officer I wish I’d have been quicker to put in place metrics with Board driven limits and thresholds. We got there and it worked tremendously well but we initially let the perfect be the enemy of the good. We spent a lot of time spent trying to come up with a set of metrics that were mutually exclusive, collectively exhaustive as well as risk-predictive vs. going after the 80/20 outcome of picking a viable small set of metrics that represented the majority of the risk outcome. Leading metrics as opposed to even well calculated and modeled lagging metrics were the most transformational - especially when subject to Board limits (mandates).
As a Board Director, I wish I’d done earlier, what we ended up doing which was to expect more from business line executives to be able to explain their technology and cyber risk in their Board presentations and not overly rely on the CISO or their business line CISO. When we pressed this, we unsurprisingly got more engagement from the business lines with their own teams outside of the Board room.
In terms of business benefits, many risk and security, and for that matter audit programs, are somewhat flawed in the sense that they view success as finding more risk and driving that risk lower and lower even to the point of diminishing returns. More teams should look at the risk profile and maybe say that it's about right, but what we really need to do to add value is to look at the controls and say can we upgrade those controls to keep the risk the same but actually improve customer experience, improve team productivity, reduce false positives that impact business, create enablers for new supply chain approaches and so on.
Related to that, one of the best questions a Board can ask executives or business line leaders is what adjacent benefits they are getting from security - if only for the reason the answer might initially be none, but then in starting to look for such benefits it will cause a whole different level of engagement between that business and the security team.
7. Wishful Thinking for Others
If you could make a wish and ask all our Boards or executives to do one thing that would benefit their security and make the lives of their CISOs easier, what would it be?
I like the wishful thinking questions the most. I tend to use a similar framing to encourage more ambitious goals, albeit phrased as “if you could wave a magic wand, what would you do?” It cajoles people out of a fixed mindset or an assumption of constraints that might not be as much as people imagine. In answering this question it’s hard to pick one thing, or even make it a small list. For me I think of this as: what is the point of maximum leverage? That thing which if it becomes effective can apply most transformational power over the long-run. The two I most often use in this context are:
Modernize Technology. Invest in the modernization of your technology platform where security is built in not bolted on.
Create Demand Pull. Get your business units to pull help from security and not have security keep pushing improvements on them. The main thing is for the CEO to not just provide support and resources for the CISO but to actually change the dynamic by regularly expecting each business line executive or functional leader to be able to articulate at some appropriate level their technology and cyber risks - just like they can articulate many of their other operating or financial risks. The main reason to do this is to create and sustain a better dynamic between those executives and the security team - so a business line will pull security help rather than just security pushing.
Bottom line: the good news is Boards and executives in the forums and associations they circulate in have cybersecurity as an ongoing vital topic they need to address. They have many of the same questions and concerns and while these are becoming better addressed by all of you, they are still searching for the ways in which these issues can become more of a routine and mainstream part of how all the risks of their organizations are managed.