Inviting the CISO In
The COVID-19 pandemic has led to a major shift in the way businesses operate. Companies of all shapes and sizes have been forced to adapt to a new reality where remote work and socially distanced customer interactions are the norms. This has led to an acceleration of digital transformation efforts, particularly in the area of “touchless” technology, which allows customers to interact with businesses without physical contact. A 2020 study by the Pew Research Center found that by 2025, massive generational shifts will force 75 percent of organizations to adapt their hybrid work strategies to include demands for radical flexibility. As a result of this shift, it is now more important than ever for boards of directors to understand the importance of cybersecurity and the role of the Chief Information Security Officer (CISO) in managing the associated risks. It is also important for the CISO to understand the enterprise from the board’s perspective.
Conversation with the CISO
The CISO is responsible for developing and implementing an organization’s cybersecurity strategy, which includes identifying and mitigating potential vulnerabilities, detecting and responding to cyber threats, and implementing best practices for data protection. One of the best ways to educate a board of directors on cybersecurity and its challenges is to invite the CISO to present to the board’s risk committee on a regular basis and to the full board at least once a year. This provides an opportunity for the CISO to provide an overview of the organization’s risk framework, and cybersecurity posture, including any potential risks, vulnerabilities, and incidents that have occurred. It also gives the board an opportunity to ask questions and gain a deeper understanding of the organization’s cybersecurity strategy and the actions being taken to protect against cyber threats.
The CISO can also serve as a valuable resource to help the board understand the business ecosystem and build a resilient organization that has fiduciary strength.
They can provide guidance on best practices for managing cyber risks, such as incident response plans, regular security assessments, and comprehensive cybersecurity strategies. The CISO can also help the board understand the financial impact of a cyber incident, such as the cost of recovery and potential loss of revenue. Finally, the CISO can help the board understand what they can do, such as leading “wargames” or tabletop exercises for simulated breaches to better understand their role in incident response.
Confidence to Ask Questions
Not only must the board understand the complexities of cybersecurity. It is equally important for the CISO to develop an understanding of the enterprise from the board’s perspective to be able to explain complex issues in a non-technical manner. The Chair of the board should encourage open dialogue and encourage all members to ask questions without the fear of being perceived as unknowledgeable. This helps to ensure that both sides have the knowledge and understanding they need to effectively manage cyber risks.
While it may seem intimidating to engage in a conversation with technical executives such as the CISO, their role is to make complex cyber-risk topics simple and to provide contextual relevance to the business ecosystem. Interaction with the board is crucial for ensuring that an organization is prepared and able to respond to cyber threats. By fostering open communication and encouraging all board members to ask questions, the Chair can ensure that the board has the knowledge and understanding it needs to manage cyber risks effectively. Some of the specific areas of inquiry are detailed in the following chapters.