What do you say when they ask, "Are we secure?"
Boards are in the business of managing risk, and they're accustomed to quantifying that risk in familiar business domains—financial risk, regulatory risk, and so on. But cybersecurity risk management remains in a relatively immature state. A panel on "Governance, Measurement, and Response" took up the issues surrounding cyber risk management.
Moderated by Mark Weatherford (Chief Cybersecurity Strategist, vArmour, and Senior Advisor, the Chertoff Group), the panel included Deborah Guild (Chief Security Officer, PNC Bank), Joe Gottlieb (Vice President of Corporate Development, Sailpoint), Brad Hibbert (Chief Technology Officer, BeyondTrust), and Vijay Jajoo (Partner, KPMG Cyber).
Staying ahead of legislation.
Weatherford began by noting that legislators are looking more closely at boards' responsibilities, and the legislators are preparing to act. The question the boards will ask as their responsibility for cybersecurity grows clearer, "are we secure," is an inherently difficult one to answer, the panel thought. To address it, they advised a number of steps, prominently including "making the conversation data-driven."
Practical steps for CISOs.
So how might CISOs usefully approach their engagement with their board? That there should be such engagement is a foregone conclusion.
Guild plans the topics of her annual cyber report a year out, and plans for "interrupts." The goal is to provide the board with useful information, not to overwhelm them. She sees security as the "ultimate brand differentiator," and argued that it's important to help the board see this. She stressed the importance of stratifying risk—doing so will at least help prevent you from being perceived as simply crying wolf.
She emphasized the overarching importance of identity management ("get that right and there's less cleaning up after the parade") and of communicating with the board in ways that optimize their guidance and feedback.
Gottlieb stressed the importance of risk management to the board—that, and not prevention, is and should be their focus. He noted that the best security teams excel at pruning their tools, and he advised figuring out how.
Risk management classically involves quantification, and Hibbert saw a challenge in showing return on security investments, and in maximizing that return on investment. Looking inward at the CISO's own operation, he advised CISOs, "Ask whether your people can handle what you've got. Don't simply buy wildly. Take use cases to vendors."
Jajoo agreed, and maintained that quantification, particularly forward-looking metrics, were essential to reaching the board. He also warned that security fatigue is setting in with boards, who are tired of CISOs always asking for more money, without being able to connect those requests with any return on investment. "If you're not able to protect the company, more boards are looking simply to transfer risk," by purchasing insurance.
Translation and levels of spending.
Weatherford notes that the larger the company, the more difficult it becomes to say what its cybersecurity spend is, still less what it ought to be. And, Hibbert added, vendors could do a much better job of providing tools that give quantifiable feedbacks to business. Vendors could in particular do more of the "heavy lifting in translation" for the board.
Jajoo recommended simplifying your taxonomy, and simplifying your stack, your killchain from a risk perspective. He made a plea for CISOs to provide context. Gottlieb saw an instructive similarity to the quality movement: baseline cybersecurity, and track metrics that can show progress (or the lack thereof).
Security and the reputation of your brand.
Guild took the last word, returning to the importance of security for the brand. Her personal hashtag for the business is #TogetherBuildingTrust. Reduction of customer friction is the next battleground in competitive brand-building, another reason identity management is so important. Security, she said, is central to trust, and therefore central to brand building.