How Boards, especially public company Boards, oversee cybersecurity is a crucial but difficult topic. This previous post discussed how you, as a security or risk leader, can think about representing your program and risks to the Board. In this post we’re going to explore what a Board director can and should do. If you are reading this as a security leader then I hope it will still be useful for how you can advise your Board.
A Board director has a critical role to play in governance and risk management, on behalf of shareholders and other constituents. For cybersecurity, this is often perceived as challenging because Board directors mostly do not have the in-depth expertise to be able to closely direct management of that risk. Although some do, and many Boards have at least one Board member with experience of managing this risk from various backgrounds, which mostly are not as a CISO, but often as a CIO/CTO or a former defense/intelligence professional.
There are many, often very good, detailed checklists of what Boards should expect to see from management with respect to cybersecurity. The National Association of Corporate Directors (NACD) in the US and the Institute of Directors (IoD) in the UK have produced some excellent content in partnership with practitioners. There is also plenty of regular commentary from those who work closely with Boards such as this from Marten Mickos of HackerOne. However, I think the level of detail in all this guidance, especially that from the professional associations and consultancies, can sometimes be counter-productive as it can beguile Board members into thinking that if they get what could be good answers to these questions then all shall be well. I have found, in working with and sitting on Boards, that Board members may actually be best served by applying their considerable experience and judgement of strategic and corporate risk to instead ask more basic and fundamental questions - basic questions that would challenge most management of most companies.
Remember, Boards are not management, they are typically not involved in the day to day running of a company, nor should they be if they are to be independent. So, they need to be excellent inquisitors to ask the right questions to get the correct strategic response from management. Most Boards I’ve dealt with are full of people that, from their in-depth experience, can instinctively do this for strategic risk, finance, marketing, product development and many other disciplines often without themselves having had a career in those disciplines. So we have to ask why not also for cybersecurity?
Let’s explore this. First, as we’ve discussed in many posts, cybersecurity is not the only technology or information risk and it is dangerous to manage it in isolation mostly because some of your best and most sustainable mitigations come from controls designed to mitigate other technology risks. It is also dangerous because often the biggest causal factor of an organization’s cybersecurity risk is out of date or poorly managed technology. Investing only in cybersecurity while neglecting the need to modernize your applications and overall IT is like building on a foundation of sand. So, Boards need to look at cybersecurity as a holistic part of whether the company is managing their technology or digital transformation effectively enough.
Approaching this more broadly the major, perhaps, only questions Boards need to ask are:
“What are our most important assets and business services? What risks do they face and what controls mitigate those risks? Are those controls continuously measured as operating within expectations? What residual risks remain and who at what level has decided those are acceptable? Do those risks correspond to the goals of the organization? (remembering organizations have goals that involve taking risk)
How frequently is all of this reassessed and what triggers (other than time) cause such reassessment?”
Notice we didn’t mention cyber or even technology once there. This is the set of questions Boards ask constantly (perhaps not literally) for all other strategic risks and often get very good and well developed answers. Security or technology risk teams should be able to answer this effectively. Ok, yes, to do this is hard, actually very hard, but that’s the point. If the Board doesn’t get an effective answer to this question then they have to keep pressing until they do. Boards do and have done this, and driven massive improvements, across a range of areas from financial risk, safety, geopolitical, regulatory risk and so on. Sometimes under compulsion but many times just because they were being diligent in their role as representing shareholders and other stakeholders.
Now, we could end here and say just go do that. But in reality you need other techniques. These other techniques need to be somewhat meta in how they get management to think about risk more deeply. These are questions that when you can answer them well would pretty much guarantee the organization is in good shape. They are questions that to answer well require an apparatus of security and risk management that almost then can’t help being effective and sustainable. They are questions designed to create such an apparatus. In my view these fall into 5 categories.
1. Risk Limits and Thresholds
The Board needs to demand that it be notified, by the Chief Risk Officer, Chief Financial Officer or Chief Executive Officer, when a particularly important metric exceeds or varies from a certain predefined threshold. It almost doesn’t matter what metrics you pick to apply this to, the point is that it’s a signal that this is a topic that is important and demands attention. The real deal though is when you realize what focused work is going to occur to have it not be the case that the CEO has to tell the Board that a critical metric has not been sustained (this is why the CISO should not be doing this final escalation). Boards do this for other critical topics. Again, why not for security? Some particularly useful metrics I’ve seen used range from the percentage of end-of-life systems, patch levels, end point and production configuration conformance, through to production access levels. Yes, these can seem quite basic and specific, but why not? Many other Board level metrics for other risk areas are also quite basic but nevertheless effective. However, Boards should remember specific metrics cannot capture the nuance of all the risks and this approach alone is not sufficient. So, Boards should ask of themselves and then management, “What threshold of what metric if exceeded (or not adhered to) demands immediate Board escalation?”
2. Scenario Analysis
Scenario planning is a useful and under utilized technique that Boards should demand to see more of. Often Boards see abstract expressions of risk and can struggle to make sense of it. Scenarios not only place risks in a real-world context but can also be used to push the boundaries of what scenarios are prepared for. Some obvious examples of scenarios might range across : ransomware preparedness, disaster scenarios, insider threats, external intrusions and many others. Boards should ask what are the major scenarios the security and risk team plans for and what scenarios have occurred in other organizations that they haven’t experienced or planned for. But, the real test question is “What is the most severe but plausible scenario that we feel like we cannot withstand?”. This is getting into operational resilience territory, and really gets the organization to think hard about where the limits of resilience are. The key thing for Board members is to not be disapproving that those plausible but severe scenarios are not already prepared for - because you did ask what we can’t withstand. The next step is to determine how much work you can and should do to work to withstand it, likely in a degraded state not with perfect resilience. Now, this is real Board engagement.
3. Incident Learning and Close-Call Analysis
A variant of scenario analysis is to look as incidents or close-calls (a.k.a. near misses) that have occurred in your organization or another organization - it’s perhaps more enjoyable to learn from other’s issues. Essentially, an incident is just a scenario. The key question here for Boards to probe is: "What close-calls or low impact incidents were that way because of good fortune alone?" Many organizations may prioritize incident reviews based on a loss threshold or a scope of data-spill, for example, a major incident is one where there was a greater that $100k loss. In reality many incidents that fall below this threshold are because of happenstance not because of controls. For example, a bank that has a brief payment systems failure mid-morning on a quiet summer Tuesday when volumes are low might lose $50k and so dismiss that as a non-event not worthy of extreme introspection. However, if the very same incident with the same root cause occurred on a busy end of quarter Friday, 30 mins before business close then the losses might exceed $100M. It was the same root cause.
4. Business Line Ownership of Risk
We all talk about the need for business lines to own their risk but it’s up the Board to make this happen. The Board should demand that in every presentation of every business, every major product strategy review, every M&A discussion and so on, that technology and cybersecurity risk is explicitly covered. But, the key is for those questions to not be relegated to some separate agenda item where the CISO or BISO (business line information security officer) discusses those issues but rather it needs to be a core part of the discussion led by the business leader themselves. Sure, they can bring their CISO or BISO for support, but they’ve got to be prepared as well.
If you don't think this is realistic, then imagine a business leader presenting a recommendation for some strategic M&A and a Board member asks a plain question about the impact on revenue and P&L to that business line after the merger, taking into account the risks and costs of integration. If the business line executive doesn’t have any answer and has to turn to their finance lead to cover that, there would be serious questions about their competence. Now, of course, if it was a deep technical accounting treatment question then by all means the executive needs to rely on their finance lead or senior accountant and so the same would apply to technology and cybersecurity risk. It is not unreasonable to expect business leaders to articulate this risk at some level of abstraction having been previously prepared to do so by their CISO or BISO.
A more searching question for Boards to ask, of executives, is “What adjacent benefits are security controls bringing to your business?”. This is a killer question on many levels because it signals the Board's intent and so the business executive's goals is to not just think of security as a defensive mechanism but as a key competitive advantage in support the organizations goals. These adjacent benefits could include reducing customer friction in transactions, better false positive / false negative balances in fraud prevention to reduce transaction completion failure rates, enabling operations in new and riskier markets, improvements in sales force or developer productivity and so on. The reason this is important is when line executives know this question is coming they will seek that answer in their preparation for a Board meeting and so will find or create such benefits with the CISO or BISO. This will increase the percieved (and then actual) value of the security program - seek and ye shall find!
5. Technology Modernization
The world seems to be finally getting that the key to effective technology and cybersecurity risk mitigation is to have a modern technology environment that has been designed to be defensible. However, Boards can in fact struggle (even with former CIOs on the Board) to determine if an organization is doing this effectively. Many revert to the proxy of expenditure rather than more meaningful measures that show actual improvements. This is where asking the right, meta, questions is crucial. For example, “What percentage of our software is continuously built, tested and deployed?” For many organizations this is a very low percentage. Boards should not be too disappointed by this initially but should demand steady progress and will become increasingly aware that as this moves towards 100% then many other risks are mitigated and many adjacent benefits accrue. You don't get to 100% without doing it in such a way that those benefits occur. Such is the power of the meta-questions.
Bottom line: a Board director's role in overseeing cybersecurity risk is hard. Even if a Board director has relevant experience it can still be hard as they are not involved in the day to day operations of the company. So, Board directors have to rely on asking questions to get to the heart of the organization’s issues. Board directors need to ask broader technology and technology risk questions, not just cyber, and need to focus on meta- or systems-level issues to drive the organization to create the right sustainable technology risk management apparatus to support their ongoing digital transformation.