This article is the first in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
A cybersecurity conversation with your Board of Directors or Executive Management team can go one of two ways: you will either inspire their trust and confidence in your abilities as an IT leader or you will not. The outcome of your meeting comes down to your ability to demonstrate clear ownership of the risk, and your command of the topic from both a technology and an overall business perspective.
Understand that your Board is looking for leadership and bravery in the face of a risk that could potentially do significant harm to your organization, is ever changing with growing complexities, and can originate from anywhere on the planet with the click of a mouse.
Over the years, I have had many opportunities to discuss matters of IT, not only at the Board level but also with Executive Management teams for the various organizations for whom I have worked. I regularly present to the full Board of Directors at NAV CANADA, and have a standing agenda item related to cybersecurity at the Audit and Finance Committee. I also sit on the Ottawa Hospital Board of Governors, where I contribute to the oversight of the numerous IT-related matters in healthcare, including cybersecurity.
I can tell you with certainty that the topic of cybersecurity for oversight bodies of any kind remains an area of constant concern while at the same time being a topic of discomfort as many Boards still lack practical or even theoretical knowledge on the topic. At the same time, it would seem to me that what some Boards are comfortable with in respect to providing oversight may not necessarily work for others. Those who are still working to determine how to best fulfill their duties in the oversight of cyber risk need IT leadership.
Additionally, recent studies such as the Harvey Nash / KPMG 2019 CIO Survey indicate there is a large gap between IT leaders and their Board or Executive Management in how they perceive their organization’s readiness to deal with a cyber event. Roughly 75 per cent of Boards and Executive Management feel their organizations have done enough and are ready, whereas only 25 per cent of IT leaders feel the same way. Guess who loses in that equation?
The opportunity for you as an IT leader goes beyond just helping your organization manage cybersecurity. In fact, the opportunity is, in my view, one where IT leaders get to shape how oversight is provided, and contribute to the education and awareness of those who are charged with risk oversight.
For those IT leaders who have yet to present to their Board of Directors, I hope I can give you valuable guidance on how to best prepare for that inaugural meeting. Your goal, of course, is to gain the trust and confidence of your Board, which will enable and empower you to protect your organization from cyber attack and create resiliency in the eventuality that you fall victim to one.
Next article in the series: “Talking about cyber security to your board – Know your board“