Cyber Future Foundation

Linkedin Twitter Youtube

Chapter 6
Nurturing Board Engagement in Cybersecurity Governance

Chapter Overview

The chapter “Nurturing Board Engagement in Cybersecurity Governance” highlights regular engagement through reporting, the need for cyber expertise on the board, and the value of ongoing education for effective cybersecurity governance.

Contributors

Valmiki Mukherjee

Maya Bundt

Diana Kelley

Chapter 6

Nurturing Board Engagement in Cybersecurity Governance
Introduction
  •  Board engagement happens in three ways:
    •  Regular cadences
    •  Playbook for incidents
    • Long-term engagement through education
Cadences: Why and How
    • Why: Cadences are important to keep the Board prepared. Here is why cadences are important:
      • They create a predictable reporting schedule.
      • They help educate the Board.
      • They help keep cybersecurity in the spotlight.
      • They establish transparency between the CISO and the Board.
      • They ensure prompt communication during incidents.
    • How: It’s good to have repeatability in what you are going to share with the Board, so that they can expect the components that are going to be discussed. The important components to be discussed in the cadences are:
      • What the cyber program looks like
      • The current problems and exposures
      • Where the organization wants to get to
      • Where the organization stands among its peers in the industry in its defence against cyberattacks
      • New regulations and updates in the security industry
      • Anything that changes the organization’s risk landscape (external and internal factors; what this means for the organization)
Playbook for Incidents
    • Developing a framework or designing a playbook is important to effective incident response. It provides a set of predefined procedures and guidelines to follow when responding to security incidents. It also helps the CISOs have a plan of whom to alert. When creating the playbook:
      • Clearly define roles and responsibilities of the people involved.
      • Categorize potential threats and their risk levels.
      • Provide step-by-step instructions on how to handle various types of incidents.
      • Define a communication strategy to notify relevant stakeholders.
      • Highlight the legal and compliance requirements to be considered.
      • Define escalation procedures on the necessity of informing external authorities.
    • The playbook will help the CISO go into the Board meeting prepared in the event of an incident.
    • Once the incident has been responded to and mitigated, the report presented to the Board can act as a “Lessons Learned” part of the playbook.
Long Term Engagement Through Education
  • There are three ways the Board can be educated based on the constraints they have on time: micro education, collective education, and self-education.
Micro Education
  • The CISO has to get creative in their pre-reads to make it engaging to the Board. In the middle of the meetings, the CISO can inject them with information through micro learning.
  • The CISO must identify topics for their microlearning modules in advance like phishing, ransomware, data encryption, secure password practices etc.
  • Each microlearning module must be extremely specific. The CISO can use the aid of audio/visual and interactive elements to keep the Board engaged.
  • The microlearning modules must be released on a regular basis. It will always be most effective if they are part of the cadences.
  • What will make the microlearning sessions most interesting for the Board will be real-life examples.
Collective Education
  • It is important to have a Board member who is passionate about cyber because that person will ensure that cyber is on the education agenda.
  • Instead of attending extensive training sessions that give certifications and cost a lot, there are seminars and events that are free of cost and are more interactive. This also gives them an opportunity to interact with their peers and engage in knowledge exchange. They can attend:
    • Cybersecurity workshops and seminars
    • Cybersecurity conferences
    • Tabletop exercises
    • Webinars
    • Roundtables
    • Incident response drills
Self-Education
  • Most Board members are interested in educating themselves. This will contribute to self-learning and information exchange between members.
  • The Board members can use a variety of resources to learn, like:
    • Books
    • Online articles
    • Podcasts
    • Online courses
    • Industry news

Your email address will not be published. Required fields are marked *

Sponsorship, Membership and Contact Information

All Program Inquiries: Mail to Program Director
Register at: CFF Eventbrite Page
Foundation Website: www.cyberfuturefoundation.org
General Queries: info@cyberfuturefoundation.org

NEWSLETTER SIGNUP

Stay tuned with our always evolving Programs and Initiatives!
Subscribe to cff news

STAY IN TOUCH

Facebook Twitter Youtube

Tweet to @cff News
Please subscribe our channel
Youtube