Cybersecurity’s emergence as a strategic risk has instilled the relationship between chief information security officers (CISOs) and board members with greater importance — and higher stakes. Fostering a stronger cybersecurity capability requires directors to take their relationship with CISOs (and information technology (IT) executives with similar responsibilities) to a new level, notes Santa Fe Group Chairman Catherine Allen.
Allen, who currently serves on four corporate boards, has consistently addressed cybersecurity risks as both a board member and a C-level executive throughout her 30-year career. Here, compiled in a visual format below, she shares five steps boards can take to enhance their relationships with CISOs while strengthening their oversight of cybersecurity:
- Commit to a Risk Committee: Few audit committees possess the time or expertise needed to address the broad range of operational and strategic risks — including information technology (IT) security, data privacy, regulatory compliance, reputational risk and more — that cybersecurity oversight demands. Standing up a risk committee of the board comprised of directors, C-Suite executives, and organizational IT leaders signifies that the company is committed to addressing cybersecurity with the governance resources it warrants. Risk committees also serve to educate more board members on cybersecurity and emerging technology issues.
- Recruit cyber-savvy directors: Recruit at least one (but preferably more) director with cybersecurity, IT and or digital expertise to join the board. In addition to applying their knowledge to cybersecurity governance, these directors can help educate other board members.
- Exercise and engage: Seek out opportunities to participate in tabletop incident-response and scenario-analysis exercises (often staged by outside experts), hold offsite discussions on cybersecurity issues, attend conferences, share articles and host presentations on cybersecurity topics.
- Care for your CISO: The CISO should meet alone with the board of directors or the board’s risk committee on at least an annual basis to share to their perspectives firsthand and so that directors can ensure that the CISO is getting adequate support from the CEO, CFO and CIO. In their discussions with the CISO, directors should focus on the organization’s adherence to industry best practices and standards (e.g., the NIST framework and PCI standards), crisis management plans, cybersecurity insurance, regulatory compliance requirements and related cybersecurity matters. Directors should also monitor the CISO’s mindset given that these executives are under tremendous strain, contending with a shrinking average tenure (about two years) and are prone to stress-driven health issues.
- Look through a new lens: At a strategic level, it helps to think of your business as a technology company rather than as a financial services, healthcare, retail, manufacturing or public-sector company. Technology increasingly drives all organizations and more organizational value hinges on cybersecurity as a result. From a risk and governance perspective, it is helpful to look through the eyes of the different bad actors who attack cybersecurity defenses. Understanding the varying motivations of nation states, criminals, hacktivists and even disgruntled employees helps directors cultivate a deeper understanding of the oversight cybersecurity requires.
CISOs and other cybersecurity executives can also help directors strengthen their cybersecurity oversight, as this article covers.