Written by Rebekah Lewis
Published December 7, 2016
Board-level executives are beginning to take notice of cybersecurity as an enterprise risk that requires high-level strategy and engagement. Even so, those charged with managing cybersecurity risk still face a formidable challenge when it comes to getting sufficient Board-level airtime and buy-in. How can CIOs, CISOs - or other personnel responsible for managing cybersecurity - attract the attention and interest of the Board and get cybersecurity on senior leadership's radar? American University recently hosted a discussion on this issue. Read on for some tips from the field.
Recently, American University Vice President and Chief Information Officer Dave Swartz and Chief Information Security Officer Cathy Hubbs hosted a discussion with regional CIOs and CISOs from the higher education sector regarding cybersecurity program development and strategies for increasing top-level engagement. During the event, which was co-sponsored by Verizon and the Kogod Cybersecurity Governance Center (KCGC), many participants agreed that their interaction with their Boards and other senior leaders regarding cybersecurity is still fairly limited. But many participants had also made significant strides towards increasing engagement. During a discussion facilitated by the KCGC (Bill DeLone and Rebekah Lewis), they discussed a number of effective strategies and tips:
While a data breach or other significant security incident is never welcome news, participants agreed that these moments present a powerful opportunity to land an audience with the Board to discuss cybersecurity risk and the importance of investing in a program that will adequately address this risk. Breaches can be used to highlight the value of the organization's data and the need for its protection. Similarly, DDOS attacks or other business interruption events create an opportunity to validate and quantify the value of information technology assets that may not be the typical "shiny objects" (see below) at the forefront of the Board's mind, but which may actually be among the organization's most prized "crown jewels."
A similar way to achieve the same effect is by using a security incident at a peer organization as a cautionary tale, and an urgent reason to address the Board as a preemptive measure. While this approach may be a little less powerful, it has the added benefit of giving the security team a proactive "glow" while also avoiding the unpleasantness of an actual incident.
If well-framed, a security event can be used to showcase the importance of certain assets and capabilities, the need for investment in a comprehensive cybersecurity program and the value of ongoing dialogue with the Board to ensure they are ready to respond when needed.
LEVERAGE SHINY OBJECTS
Many CIOs and CISOs agreed that senior leadership generally still views their organization as a cost center and, therefore, the primary focus of any Board-level engagement is on cost management. One way to get a foot in the Boardroom door while also changing the discussion focus is to ride in on your own "Trojan horse." Identify the cutting edge technologies and capabilities that shine the brightest in leadership's eyes and recommend a briefing to the Board focused on the new toys' cool moves and all the value they will bring to the organization. Fold into this discussion critical security features relevant to the shiny object, and how these features will protect, and potentially increase, the organization's return on investment. In short: if the organization's leadership is enamored of shiny objects, show them that these gems will not shine without cybersecurity.
LEVERAGE YOUR NETWORK (INCLUDING YOU)
Participants noted that there is more than one way to get into the Boardroom, including through a number of different relationships. Educating senior leadership and other colleagues who do attend Board meetings about the importance of cybersecurity to the company's value can increase the likelihood that related issues will be raised during Board meetings, and the need for a more in-depth briefing will come to light. Beyond building relationships and investing in organizational education about cybersecurity as a general matter, CIOs and CISOs might consider pitching to other Boardroom invitees the idea of a team presentation highlighting a topic of shared concern, and including cybersecurity in the briefing. Another effective strategy is to develop relationships with internal and external auditors, drawing attention to the importance of technical security features and cybersecurity risk management generally, and the need for the Board to understand these issues as critical elements of the auditing process.
Perhaps one of the most obvious ways to increase engagement with the Board is by making the most of any first opportunity to present to them, demonstrating the need for and value of continuing dialogue. Participants noted that, if executed effectively (see below), one engagement with the Board can lead to additional request for follow-up briefings and updates.
Beyond the First Foray
While getting into the Boardroom and onto senior leadership's radar can be a substantial challenge in itself, capitalizing on that first, initial engagement is also critical. One of the primary goals of any opportunity for engagement with senior leadership should be to begin establishing an ongoing dialogue about cybersecurity by conveying 1) the value that an effective cybersecurity program will bring to the organization and 2) the Board's shared responsibility for (and ability to effectuate) the program's success. Participants at the recent discussion also shared a number of successful strategies for promoting this kind of ongoing dialogue with Board-level leadership:
To demonstrate the current or target value of their cybersecurity program, a number of participants cited benchmarking against peer institutions - the "keeping up with the Joneses" approach - as an effective strategy for providing senior leadership with useful metrics in relatable terms. In addition to using industry surveys and other research for benchmarking references, talking directly with CIOs and CISOs at peer institutions is also an extremely effective way to gauge an organization's relative performance.Also, developing relationships with peers is not only useful for benchmarking but for other information sharing purposes (and more) as well.
CASE STUDIES AND TABLETOPS
Case studies and tabletop exercises are also powerful ways to demonstrate the value of a cybersecurity program and illustrate the specific responsibilities of senior leadership and the Board in certain scenarios. These activities create compelling narratives, showing (rather than just "telling") the many moving parts of cybersecurity risk management in a more digestible, contextual format and with built-in opportunities to point out key takeaways and remedial measures.
Walking through a simulated tabletop exercise or examining a case study of a security incident, including its aftermath, will highlight senior leadership's key decision points in the incident prevention, response and recovery process. This approach will help senior leaders to see - vividly and in context - that they would be wise to ensure the organization has an adequate cybersecurity program not only for the benefit of the organization but also because they may, and likely will, be held responsible by various stakeholders, including regulators and potentially courts, for cybersecurity-related failings.
Relationship-building with the Board and other senior leadership - whether through discussions on cybersecurity or otherwise - is also a critical strategy for developing a sense of shared responsibility among senior leadership and the Board. In addition to engendering mutual respect and appreciation for the complex challenges involved in mitigating cybersecurity risk, building a rapport with senior leaders and Board members will facilitate greater understanding about the issues, which will in turn help them to feel empowered to take responsibility. Without sufficient understanding of the component parts and decision points, leadership will always be hesitant - and understandably so - to accept responsibility for matters they feel little ability to control. Instilling leadership with a sense of empowerment should be, therefore, one of the top strategic priorities for personnel responsible for cybersecurity.
HAVE A GAME PLAN
One of the first rules of good business (whether internal or outward-facing) is to offer solutions, not problems. And while cybersecurity may seem unchartered and unique, it is a business risk all the same and this maxim still applies. An effective cybersecurity strategy cannot be based on discrete recommendations about, for example, encryption of data-in-transit, role-based access control or even the requirements of a good vendor management program. A solution that will empower and motivate senior leadership will be comprehensive, structured, straight-forward and sufficiently high-level to encompass the full range of relevant issues.
Recommendations to simplify cybersecurity issues or talk in "business terms" when speaking to Board-level personnel miss the mark (and underestimate the intelligence of senior leadership). In fact, the Board and senior executives may, and probably will, need to understand certain technical elements, details and nuances of cybersecurity risk and risk management, and many are perfectly capable of this level of comprehension if given the right information. The key is not to "dumb it down" or learn to speak only in business lingo, but to communicate clearly, concisely and in a way that provides the necessary logical support for any conclusions drawn. This approach will empower the Boardroom audience to ask questions, to weigh the issues that are clearly laid out before them, to draw their own conclusions - in short, to take responsibility.
As many participants at the recent discussion agreed, a number of existing frameworks provide a very useful starting point for crafting an effective cybersecurity game plan. These frameworks include the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) 27001 standard on information security management or ISACA's COBIT Framework, but others exist as well. Many U.S. and even international organizations have adopted the Cybersecurity Framework developed by NIST as a foundation for their cybersecurity game plan, in large part because it is high-level, flexible and describes key cybersecurity functions in concise, logical and structured terms. However, even regulatory regimes or industry best practices can provide a jumping off point for a well-structured and sufficiently comprehensive strategic solution.
Overall, participants in the discussion noted that the above mechanisms and strategies served the critical purpose of helping Board-level leadership understand cybersecurity in context. Perhaps most importantly, participants noted that improving leadership's understanding will help them feel empowered to make meaningful decisions in this arena, which will encourage them to take real ownership of cybersecurity as an issue that cuts to the core of their responsibilities