As a cybersecurity professional who is also an active board member for several organizations, I have had the unique opportunity to watch from both sides of the boardroom table.
In such meetings, directors ask highly informed and proficient questions of the CFO, while CISOs continue to wearily answer endless questions about nonsensical movie-plot hacking scenarios and immaterial technical metrics.
All of this has led me to ask, why are boards simply unable to apply their skills and experience in governance and enterprise risk management of financial assets and business processes to the digital realm?
It was during an audit committee meeting several years ago when the answer finally came to me.
We were discussing the state of the organization’s current ratio — I had no recollection as to what it measured, so I had largely withdrawn from the conversation. That’s when I realized that I was abdicating my duty of care for no reason other than I didn’t want to ask a question that would betray my ignorance on the subject matter being discussed in front of my peers.
When I mustered the courage to raise my hand and ask for help, it turned out that I wasn’t alone in my financial ratio ignorance.
What this episode made me realize is that the business executives, lawyers and accountants that populate most boards must experience this same level of anxiety when reviewing a technical report that I have in trying to decipher a balance sheet. This leaves them in a similar situation of not knowing how to fulfill their duties and responsibilities as a board member when it comes to items on the agenda such as digital transformation and cybersecurity. Many likely stay silent, as I had done, or ask ill-informed questions — but rarely, if ever, raise their hands and ask for help.
When you join a board of directors, it is required that you either possess — or will quickly obtain — a degree of financial literacy, while staying out of operational matters. This is often referred to as “noses in, fingers out.”
To achieve this, board members perform much of their expected duties by informing themselves and asking questions. The better informed they are, the more likely they are to ask pertinent questions. Most directors come to the role with a medium to high level of financial literacy but unfortunately, there is no such cyber-literacy equivalent or requirement. This is likely the reason why there is such a disconnect between the CISO and the board.
While board members don’t need to be able to write firewall rules, they should attain and maintain an acceptable level of “cyber-literacy” that includes familiarity with the cybersecurity domain and associated risks sufficient to ensure the fulfillment of their governance, oversight and fiduciary responsibilities. Facilitating the achievement of this level of cyber-literacy can therefore become a key opportunity and positive engagement point for the CISO with the board.
Creating a formal cyber-literacy program for the board, which defines a baseline of knowledge as well as other resources that will allow board members to keep up to date, is a great place to start. This can include articles, books, podcasts, and other information sources curated and continuously updated by the CISO and the cybersecurity team.
The monthly board briefing package should include updates on key metrics and performance indicators measured by management which have been chosen in collaboration with the CISO to ensure they are effective for informing the board’s oversight responsibilities. An excellent example would be security posture maturity as measured against a standard framework such as NIST. This can be enriched by the inclusion of strategic threat intelligence relevant to the business, including curated industry reports and news clippings that provide insight into overall trends and topics that are receiving media attention.
A mechanism to solicit questions from the board in advance of the meeting and offering a pre-meeting briefing can greatly increase the effectiveness of the questions asked and the chair’s ability to moderate effective discussion.
Investing in the development of a cyber-literate board that views cybersecurity as an enterprise-level strategic risk, understands the legal and implications of cyber-risk, and adopts an enterprise framework for managing that risk, will improve the overall security posture of the organization.
For those wanting to learn how to “get your board on board,” my latest webinar is great starting point.
Print this page