This article is the third in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Remember that the role of the Board is to provide oversight by collectively directing the affairs of the company, to ensure stakeholder interests are appropriately satisfied. This includes oversight of a broad range of topics, including business risk.
The root of everything you do with respect to managing cybersecurity is primarily and directly related to how it reduces your company’s risk to a level that is acceptable to your Board or to Executive Management.
Your Board will always want to know how resilient your organization is when it comes to recovering from cyber-attacks — a simple question with a not-so-simple answer.
Good directors have a knack for simple questions that quickly get to the heart of the matter. Often, we get lost in the minutiae, and in the process lose sight of the simplest and most obvious elements of what we are dealing with. If you allow it, a cybersecurity discussion with Board members will slide very quickly and easily to a level of detail where you will lose their attention. Therefore, in answer to the question of how resilient your organization is, you will have to develop a simple but comprehensive answer that will give your Board confidence in you and what you are doing to create that resilience.
Your answer should reflect your overall cybersecurity program, countermeasures, and risk management framework. It should be distilled down to the core elements, and presented in a manner that is clear, concise, and consistent with how your Board operates.
To help you assess your readiness to discuss cybersecurity with your Board, outlined below is a set of Board expectations that you should be aware of and prepared for. These expectations are the basis for your overall strategy and plan.
Your strategy and plan should consist of what I call the 10 Cybersecurity Essentials. Described below for your review and reference are these 10 essentials. I hope you find them useful either as a place to start building your strategy or as a cross-reference for what you’re already doing.
Five key expectations from your board
- Strategy: There is a clear and comprehensive cybersecurity strategy, and a plan to achieve the goals set within it. If you don’t have a strategy, develop one before you present to your Board.
- Standards: The structures of the plan are based on a credible and widely accepted cybersecurity framework or set of standards — ISO, NIST, other. Pick one. It almost doesn’t matter which — just follow it well and consistently.
- Regulations: The plan supports requirements from a legislative or regulatory perspective. If you don’t know what they are, your Board will, so educate yourself and stay current.
- Assurance: Independent third-party assurance is provided by your Internal Audit team or a credible firm that can attest to the maturity and strength of the cybersecurity program. Don’t take it personally, but Boards expect independent assurance to avail themselves of the “trust but verify” rule.
- Organizational Culture: The overall program reflects the nature and culture of the organization as a whole. The plan supports and is aligned with the risk tolerance of the organization and the employee behaviours that reflect that culture. Learn to leverage your Board if you find you need to change that culture.
Next article in the series: Cybersecurity essentials – Critical threat landscape “