Know how to respond to your board’s most likely security questions.
How secure are we? Why do we need more money for security, when we just approved X last year? What do you mean we’ve had four incidents? I thought you had everything under control.
Chances are, most security and risk leaders have heard these questions, possibly multiple times, from their boards of directors.
Recently, boards have been asking security and risk leaders for guidance on how to navigate a global pandemic, increased phishing threats and, potentially, a workforce unaccustomed to working from home.
“The problem is, these questions are unanswerable,” said Sam Olyaei, Director Analyst, Gartner. “They are driven by exaggerated, incomplete or contradictory public information and are a distraction from more relevant questions.”
In 2020, 96% of $1B+ organizations reported to the board at least once in the past year. Boards today are more informed about cyberrisk, with just 15% of directors reporting their boards have very little to no knowledge of cyberrisk, down from 22% in 2015.
Further, boards are using the increased focus on cybersecurity to guide business decisions. In 2019, a Gartner survey of security and risk leaders found that four of every five respondents noted that risk influences decisions made at the board level.
Additionally, security leaders need to be able to give the board something that they care about and that is meaningful to them. Beyond individual passions and concerns, boards collectively generally care about three things:
- Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives
- Cost: Future cost avoidance and immediate decrease in operating expenses
- Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation
“As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions,” said Olyaei. “Boards today are becoming more informed and more prepared to challenge the effectiveness of their companies’ programs.”
Most board questions can be categorized into five areas.
The incident question
What it sounds like: How did this happen? I thought you had this under control? What went wrong?
Why it’s asked: These questions are asked when an incident or event has occurred and the board either already knows or the CISO is informing them of it. This is particularly relevant for CISOs during the COVID-19 pandemic, when boards may be asking questions specific to securing the organization while large portions of employees are working from home under unusual conditions. This could also be in reference to any other incident, including data breaches that may have impacted the organization in general.
How to respond: An incident (regardless of category) is inevitable, so be factual. Share what you know and what you are doing to find out anything you don’t currently know. In short, acknowledge the incident, provide details on business impact, outline weaknesses or gaps that need to be worked out, and provide a mitigation plan.
Be cautious not to endorse one option as the ultimate choice when in front of the board. The responsibility for oversight of security and risk remains with the security leader, but the accountability has to always be defined at the board/executive level.
The trade-off question
What it sounds like: Are we 100% secure? Are you sure?
Why it’s asked: Questions like this are often asked by board members who don’t truly understand security and the impact to the business. It’s impossible to be 100% secure or protected. The CISO’s role is to identify the highest-risk areas and allocate finite resources toward managing them based on business appetite.
How to respond: Begin with something like: “Considering the ever-evolving nature of the threat landscape, it’s impossible to eliminate all sources of information risk. My role is to implement controls to manage the risk. As our business grows, we have to continually reassess how much risk is appropriate. Our goal is to build a sustainable program that balances the need to protect against the need to run our business.”
The landscape question
What it sounds like: How bad is it out there? What about what happened at X company? How are we compared to others?
Why it’s asked: Board members will come across threat reports, articles, blogs and regulatory pressure to understand risks. They will always ask about what others are doing, especially peer organizations. They want to know what the “weather” looks like and how they compare to others.
How to respond: Avoid guessing at the root cause of a security issue at a different company by saying, “I don’t want to speculate on the incident at Company XYZ until more information is available, but I’ll be happy to follow up with you when I know more.” Consider discussing a series of broader security responses such as identifying a similar weakness and how it’s being fixed or updating business continuity plans.
The risk question
What it sounds like: Do we know what our risks are? What keeps you up at night?
Why it’s asked: The board knows accepting risk is a choice (if they don’t, that’s a challenge you need to solve). They want to know that the company’s risks are being handled. CISOs should be prepared to explain the organization’s risk tolerance to defend risk management decisions.
How to respond: Explain the business impact of risk management decisions and ensure that your positions are supported by evidence. The second part is vital because boards are making decisions based on the risk tolerance. Any risks outside the tolerance level requires a remedy to bring them within tolerance. This doesn’t necessarily require dramatic changes in short periods of time; beware of overreacting.
The board will be seeking assurances that material risks are being adequately managed, and that subtle, long-term approaches may be appropriate in some instances. Remember, the board is accountable for “enterprise” risk, of which cyberrisk makes up a small, albeit important, component of the organization. Challenge yourself to be brief and to the point. A lack of a control is not a risk, and neither is the next big threat. Focus on the big-ticket items that you control (Loss of IP? Regulation? Third-party risk?).
The performance question
What it sounds like: Are we appropriately allocating resources? Are we spending enough? Why are we spending so much?
Why it’s asked: The board will want reassurance that security and risk management leaders are not standing still. Board members will want to know about metrics and ROI.
How to respond: Use a balanced scorecard approach in which the top layer expresses business aspirations and the performance of the organization against those aspirations is illustrated using a simple traffic-light mechanism. As much as possible, explain aspirations in terms of business performance, not technology. Performance is underpinned by a series of security measurements that are evaluated using a set of objective criteria.