It wasn’t long ago that enterprise CISOs were trying to gain the attention of the board of directors. Before the massive data breach at Equifax, the leak involving the personally-identifiable information of more than 500 million Facebook users, or any number of other high-profile security incidents that have dominated headlines the past couple of years, issues concerning security were typically included in the broad category of risk, which often fell under the purview of the COO or CFO.
But as Bob Dylan crooned, “The times, they are a-changin.”
Nowadays, anxious corporate board members are asking, “Can something like that happen to us?” and taking steps to ensure security is part of every board conversation. However, now that the CISO is being invited to sit at the table, many questions remain: How should they best communicate technical security issues to a nontechnical board? What best practices might they apply from other departments that regularly participate in board meetings? COVID-19 has only amped up this need as new realities — such as an exponential increase in remote workers, moves by many businesses to rush new apps and features into production, and hacker activity linked to the pandemic — raise new cybersecurity challenges.
What does the CISO need to do to make the most of the opportunity in front of them?
Security Is A Business Issue
Whether it’s a data breach that exposes the personal information of your customers, penalties imposed for noncompliance with data privacy regulations, or a major business disruption caused by a ransomware attack, the consequences of poor security oversight are broad, multifaceted and unpredictable.
Businessweek recently published a feature story about a hacker hired by the CEO of Cellcom Liberia, Liberia’s second-largest telecom provider, to disrupt the service of its largest market competitor, Lonestar. When Cellcom was later acquired by French wireless carrier Orange SA, Orange was determined to have "vicarious liability" due to the actions previously taken by Cellcom “even if it didn’t know what the conspirators were up to, because of laws making companies responsible for the conduct of employees. Orange said in a statement that it knew nothing about [the hacker’s] activities until it received the legal complaint from Lonestar in 2018.”
This is one of many recent examples of a global conglomerate being blindsided by security risks, with executives and its board of directors having little to no visibility and then being forced to deal with the fallout.
Building A Blueprint For CISO Boardroom Success
Now that the CISO has secured a seat at the board table, what should they do to make the most of this opportunity? Here’s what my experience as a cybersecurity executive and independent board member has taught me:
• Communicate in terms the board understands. Corporate boards speak in the language of business performance, and consequently, the successful CISO must adapt their lexicon to effectively communicate. For instance, use risk benchmarks in comparison to industry peers rather than describing the specific security technologies in place. Otherwise, CISOs run the risk of being viewed merely as technologists rather than as strategic business enablers.
• Hire a third-party security auditor. Just as a board relies on third-party auditors to validate financial results, consider hiring an independent security auditor to identify gaps and demonstrate that the appropriate technologies, processes and controls are in place.
• Don’t fight legislation — work to enhance it. As we’ve seen in the wake of Sarbanes-Oxley 20 years ago or with new legislation like the California Consumer Privacy Act (CCPA) and the EU’s General Data Privacy Regulation (GDPR), government will continue to enact legislation when public opinion reaches a boiling point. While these regulations can feel like an unnecessary compliance burden, they also provide an opportunity to better understand and evaluate business risks.
• Define and standardize security metrics. Every board relies on operational and performance metrics to measure their effectiveness and address deficiencies across the business. While defining metrics for security can be challenging given the unique risks present in each business, it’s worth investing the time. The NIST Cybersecurity Framework provides a good starting point for identifying and prioritizing the key categories and building a cybersecurity reporting scorecard.
No Standardized Security Playbook
The audit committee, which is responsible for providing oversight of financial reporting and disclosure, is a standardized function of every publicly-traded company’s board of directors. The rules and roles are well established and clearly understood. Board members focus their attention on the business and performance issues, while the audit committee identifies and reports on any "material risks" — be they environmental, social or geopolitical — that might adversely impact the business.
All audit committees operate in pretty much the same way. They rely on independent third-party auditors and generally accepted accounting principles (GAAP) to review financial statements and monitor internal controls. Whether you’re a consumer products manufacturer or a global technology service provider, the audit committee’s playbook is more or less the same. In contrast, the domain of cybersecurity is the Wild West: The threat landscape changes on a daily basis, and systems are constantly in flux. Plus, every company assesses risk in different ways, making it especially challenging to standardize reporting and measure operational effectiveness.
Just because there’s no standardized security playbook the CISO can employ as a reference framework for communicating with the board doesn’t mean there aren’t practical steps to take in the immediate term. Whether you work to build consensus about the metrics to be used to report on security issues or collaborate with a third-party security auditor to provide objective feedback on current processes and controls, proactively engaging in these types initiatives will go a long way in demonstrating commitment.
While it’s heartening to see the CISO becoming a fixture in the boardroom conversation, their long-term success will require a combination of both the strong technical skills that got them there in the first place and solid business and communications skills to effectively translate the nuances of security in terms the board will understand.
"board" - Google News
May 15, 2020 at 06:11PM
https://ift.tt/2TbyuCe
CISOs Finally Have The Board's Attention -- Now What? - Forbes
"board" - Google News
https://ift.tt/2KWL1EQ
https://ift.tt/2YrjQdq
Bagikan Berita Ini
0 Response to "CISOs Finally Have The Board's Attention -- Now What? - Forbes"
Post a Comment