This article is the second in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Who Are They Anyway?
Knowing your audience is key, especially when you’re speaking with your Board. Your Board is, after all, a collection of experienced, knowledgeable, and smart people — that’s why they’re on the Board. Individually, they bring a piece to the collective body; in unison, these pieces work together to the benefit of a business.
Depending on the industry, specific backgrounds might vary, but most Boards would likely have members skilled in Finance, Human Resources and Labour, or have members with specific industry or public sector experience.
Knowing the makeup of your Board helps you not only develop your message but also anticipate and prepare for individual perspectives that come through in questions members may ask of you. Simply put, you should expect finance-related questions from those with a finance background, or HR-related questions from those with an HR background.
For many Boards today, however, there is a general lack of technology experience. Even in tech-oriented organizations, Boards tends to be bereft of practical IT experience to the same level and depth of members who bring, say, the financial element.
So when it comes to the cybersecurity risk, which is rooted in IT, Boards have yet to hone in on the best ways to provide oversight and support to those charged with the management of risk.
But don’t think for a minute that you can dazzle them with you-know-what. That’s a fatal mistake. Don’t think you can play a game of Chicken Little — the only sky that will end up falling is yours. And make sure you don’t overstate the risk in order to get them to agree to something — you won’t get what you’re looking for, and you certainly won’t get a second chance. Remember: most Board members have a superior sense of smell.
At What Level Do They Tend to Operate?
In order to understand how to most effectively communicate with your Board, it is important that you are familiar with their level of conversation. If you have never presented to them before, you can simply ask your CEO or CFO to give you a sense of the level of detail that is expected. Going in with low-level and highly detailed material to a Board that operates at 30,000 feet could make for a very long meeting. About the only thing Board members will remember is to never invite you back.
So, learn to tune your material and verbal delivery to reflect where your Board members naturally operate. One thing I’ve learned is that sometimes even a Board that likes detail appreciates brevity. So instead of 12 key performance indicators (KPIs), give them the most important three and put the rest in the appendix. Less is almost always more.
What Are Their Priorities?
Like any other group in an organization, Boards have a set of priorities that they focus on that reflect the nature, health, and future of a business. And make no mistake — the reason you’re being invited to speak to them on cybersecurity is because cybersecurity is now among the top five business priorities that Boards across all sectors are dealing with. So you’re going in to see them on a topic that matters to them. They’re serious about it — or at least they should be by the time you’re done with them.
On the other hand, don’t think cybersecurity is the only thing on their minds. Cybersecurity may be a growing priority, but it’s only one of many priorities for Board members and the organization. So you must understand where in their minds cybersecurity stands in terms of priority. How important is it? Why is it important?
Make no mistake — cybersecurity is important to them, and for a number of reasons; among them is the real cost associated with providing the right level of cybersecurity capabilities and countermeasures to protect the organization. Like all businesses, funding is not infinite, and must be balanced with all other priorities.
Cybersecurity may be getting a lot of attention, and most Boards are giving it priority, but make sure what you’re asking for is balanced, well thought out, and lines up with Board expectations on where cybersecurity sits among the many priorities and risks facing your company.
What is the Risk Tolerance of the Organization?
Risk tolerance relates to the balance between the effort and cost of reducing the inherent impact and likelihood of a particular risk — to the point where the residual risk is acceptable. In other words: how much money and effort you’re willing to expend to avoid a bad thing from happening. From a cybersecurity point of view, the only way to understand how much money and effort is reasonable or required is to first understand the real costs to your organization should the worst occur.
Measuring the cost and impact of a cybersecurity event may be a bit challenging, and depending on your industry, and who has to be involved, it can quickly become unnecessarily complicated and frustrating. After all, how many different scenarios can you realistically or practically consider when trying to peg a value to this risk, to the point that it makes a material difference in how you would invest or manage the risk anyway? Good cybersecurity hygiene, as an example, is an at-minimum expectation, and can cover a great deal of the inherent risk without making incremental investments. Go up from there.
You should work with those in your organization who have the responsibility for risk management (your legal team, for example). Determine the absolute worst case cybersecurity event in the context of your business and industry, define the costs and impact of such an event to the highest common denominator, and make that your baseline. This will define the basis for asking for and making incremental investments on your cybersecurity program, and by definition cover pretty much all other cybersecurity risk scenarios.
If your organization intends to transfer the cybersecurity risk through insurance products, then this approach would help your legal team determine the level of insurance required as well as specifics about the coverage elements you need or want.
That said, this does not absolve you from owning the specifics on countermeasures, response plans, and eradication approaches. More on these later.
What is Their Level of Understanding of Cybersecurity?
Another essential element when talking to Board members about cybersecurity involves their understanding and appreciation of it. Do they understand when you talk about basic cyber hygiene — what that means in practice, and how it’s measured? Do they appreciate what the specific threat vectors are, what they mean to the organization, and how they work in general terms? Do they know what leading practices define a well-organized and complete cybersecurity program?
These are just the basic things Board members should know in order to effectively perform their duties. Lack of knowledge does not excuse them from their accountability as an oversight body.
It is in this area that you, as an IT leader, can add the most value and gain the most credit. Individual Board members may need help understanding what they need to know about cybersecurity. Some may well be proactive in self-study, attending conferences, or even just paying close attention to the topic in general and the trends therein; however, there will always be those that need (and appreciate deeply) your help.
Believe me — by helping Board members individually and collectively, you will be serving your company very well. You will have an easier time when it comes to dealing with funding issues, priority decisions, and when the time arrives (and it will), dealing with a cyber event.
If Board members are knowledgeable about the right things pertaining to cybersecurity, they will be in a better position to support and lead moving forward. So the message here is: help them help you.
Is Your Board Taking Cybersecurity Seriously?
There are some clear signs that your Board has not yet fully embraced the fact that cybersecurity is a critical enterprise risk, and one that they need to incorporate as part of their vernacular and discourse.
The most obvious signal is that they are not talking about it — neither to you nor anyone else — on a regular basis. Now, I would be shocked if at this point your Board members are not talking about it all. However, if that is indeed the case, know that it is not a good thing, especially for you. However, it also means you have a wonderful opportunity to show leadership, and work to get it on their agenda.
Many Boards have delegated the oversight to standing committees such as the Finance and Audit committee, with fewer Boards keeping the oversight with the full Board. In either case, the happy fact is they are acknowledging that oversight is required, and have made a deliberate choice about how it should be handled. This is an excellent sign.
Another indicator that your Board has embraced the fact that cybersecurity is a critical enterprise risk is in what is being discussed and what those conversations look like.
When discussing the impact and risks of a cybersecurity breach, do members have an appreciation of what that means in the context of the organization and all its stakeholders? For example, when discussing ransomware as a type of threat, do they understand what’s required to prevent, detect, and remediate it? As a type of threat, do they think it’s an isolated event having minimal impact to the organization, or do they truly understand the full potential impact of such an event?
Unfortunately, some Boards still see cybersecurity as a technology-related issue, and in doing so fail to recognize that while it may be rooted in technology, it’s a significant business risk that can impact everything inside the organization and many other things outside the organization, including customers, partners, and broader stakeholders.
As uncomfortable as it may be, members need to have a greater appreciation of the underlying technical elements while at the same time elevating their own discourse to the same level as when they talk about other important business risks facing the organization.
All Roads Lead to One Question…
In the event of a cyber incident, is the company in a defensible position?
As has been said many times — though I cannot recall the original source — there are only two types of companies: those that have been breached and those that don’t know they’ve been breached.
When you’re breached, will your organization be able to clearly demonstrate to all your stakeholders, perhaps even the courts, that the company did everything it reasonably could to prevent the event? If your answer is not a resounding “yes,” you might want to keep reading.
Next article in the series: “Talking about cybersecurity to your board – What are their expectations?“