The CISO's art of communicating with a board of directors (a live demonstration).
If you're charged with communicating to a board of directors, start with an understanding of what that board does. Fundamentally, the board is charged with looking after the health of the business.
SINET founder Robert Rodriguez chaired a panel on a board of directors and its understanding of cybersecurity issues. The panel was particularly interesting in that it amounted to a live demonstration of such communication. Leo Mullin, Chairman of TransUnion's board of directors, was joined by fellow board member Andrew Prozes and TransUnion's Chief Information Security Officer in a discussion of a communication challenge that's more art than science.
Mullin said the board's role is to worry about the health of the corporation. Risk management is broader than just cybersecurity. It includes compliance risk, HR risk, financial risk, disaster recovery, and so on. Corporations also grow and evolve, and so come to need to address new risks as well as new opportunities. In the case of TransUnion, the business started as a credit bureau, but has expanded considerably to offer data to banks. So it now has considerable cyber exposure. The CISO provides expertise the board itself didn't formerly have access to, but boards are accustomed to calling in experts who possess knowledge and expertise the board members themselves don't have.
Boards need to deal with risk generally, and every company, Prozes agreed, has a different set of risks. The board members need to assess and prioritize those risks. Most companies keep data on people. The bigger the company, the bigger the stakes, and the more intense the questioning a CISO can expect from the board. Intensity, however, doesn't mean showing off. "It's easy to be the smart ass in the room, and ask the cute question," Prozes said. But that's unhelpful. Board members need to remember their responsibility for the health of the business.
The CISO is a relatively new position in corporate structures, and regulation has, according to Ossentijuk, driven more engagement between CISOs and boards. He's found it useful to get to know the board through the board's audit committee. Boards are accustomed to bringing in and trusting auditors to inspect their books. There are useful analogies here with calling in appropriate outsiders to audit the business's cybersecurity.
Asked about innovative solutions, Ossentijuk said he's most concerned with efficiency. Does a tool reduce overhead and burden?
Mullin closed by observing that cybersecurity is fundamentally a defensive proposition. Yet one tends to think offensively with respect to running one's business. So addressing cybersecurity effectively can be complicated, and it may involve a deliberate return to the fundamentals of considering business risk.