All a CISO needs is buy-in, but it's not guaranteed when presenting security strategies to the C-suite, board or other employees.
"We forget we do run businesses, right? So you have to make those tradeoffs and decisions," said Sara Andrews, SVP and global CISO of PepsiCo, during the Mandiant Cyber Defense Summit last week "What I want is, whoever's in the room, whether it's the CISO, CIO or a board member, [to think] about cybersecurity and the decisions you make."
Boards are recognizing that their entire business is dependent on technology. Even in industries lagging in digital transformation, businesses are still reliant on technology. It took years for the CIO to have a loud enough voice at the C-suite table, and CISOs are only now becoming more understood.
"The key is not to bring the day jobs into the boardroom meeting," said David Baumgartner, EVP, CIO, and managed solutions leader at Mandiant, during the panel. He recommends CISOs provide context that illustrates what security wants and portrays clear intention when presenting to the board. CISOs should ask themselves:
- What are you asking for?
- What do you need from the board?
It is the board's job to ask questions, not directly tell CISOs what to do. CISOs who can operate and speak at a board level, and seek agreement from their board, can transcend whatever industry they perform security in. The broad principles of cybersecurity are evident in most businesses and industries, especially in the last year and a half.
"Try and be as simple as possible in terms of the explanation," Baumgartner said. "Put things in business terms, use benchmarks, use comparative analysis, to give them perspective" around how the business fares against its competition. Having this data will cushion the questions boards often ask their CISOs, including:
- How at risk is the business?
- What areas are lacking appropriate protection?
In addition to stats, Teresa Tonthat, VP of IT and CISO of Texas Children's Hospital, uses the newscycle to educate her board. Tonthat brings "relevant highlights of what's going on in the media" to tie it back to the risk posture of Texas Children's, she said during the panel. "They really like to hear what's happening around the other healthcare institutions."
Is the board cyber savvy?
While using necessary tools to translate risk or folding security into overall business outcomes are tactics CISOs use, they still need transparency.
"There hasn't been one time where I've left a board meeting where they hadn't asked me 'Do you need anything Theresa?' So I think they're at that point where they're very well versed," Tonthat said. And the CISO should readily know what areas need more attention and resources.
While the last year challenged the perception that security is a back-office cost function, and brought CISOs to a more prominent position, executives still struggle with effective communication. It's a balancing act to know which of the board's questions are reasonable to answer now versus deciding to only tell them what they need to know. The tradeoff between the two decisions is neverending, especially during an incident when details slowly reveal themselves.
Boards have a critical control and monitoring function when an incident occurs, but if the board does not understand cybersecurity, their control function is less effective.
SolarWinds is a case study of the role boards play following a breach and revisiting risk management. The company had its nominating and corporate governance committee oversee cyber risk, instead of a standing risk management committee, its April 2020 proxy statement said. After the breach, SolarWinds established a committee with additional board members in January to oversee IT and cybersecurity, according to its April proxy statement.
It's an example for other companies to understand whether they are putting enough protection around the product or solution that most represents their business.
When cybersecurity becomes a natural part of overall business goals, and cyber risk is meshed with systemic risk, it changes how incidents are handled in the future.
Pepsi has cybersecurity built into crisis management, "a lot of companies don't do that," Andrews said. "People think, 'Oh, it's cybersecurity, we need to do something special for that," when really folding it into overall crisis management sets the tone for the rest of the company. It naturally becomes a discussion about customer impact, revenue and availability.
Firmly placing cybersecurity into overall crisis management helps set the tone for response operations. "It's really important that we leverage — as CISOs — anyone who can help us," said Andrews. "We don't have to solve all these problems ourselves."