The chapter “How is the Board Informed” discusses strategies for effectively informing the board about cybersecurity matters. Key highlights include the role of the CISO, regular reporting on cybersecurity metrics and incidents, establishing a reporting cadence, maintaining proper documentation, dedicating time for cybersecurity discussions during board meetings, providing training and education to board members, and providing updates on incident response activities. These strategies aim to ensure the board is well-informed and equipped to make informed decisions regarding cybersecurity.
In an organization, a cyber-aware Board is the first step towards cyber protection. With the increasing regularity and complexity of cyberattacks, it is no longer a question of if but when an organization will find itself the victim; a Board that provides cybersecurity oversight is a critical requirement to ensure appropriate management of cyber risks.
But is cyber awareness enough?
Mitigating cybersecurity risks after an event has occurred is only half the battle won. Organizations must think beyond cyber protection and switch to being proactive rather than reactive. Building cyber resilience – the strength to withstand a cyberattack without sustaining damage – should be an organizational goal. Being proactive in its cybersecurity measures, an organization will be well prepared for recovery measures and business continuity.
To lead a cyber resilient organization, the Board has to take the next step after awareness – build a clear plan aligned with its strategic goals. To this end, it is vital that the Board is fully informed on a regular basis of the organization’s cybersecurity strategies, requirements, and overall landscape.
One of the major challenges most organizations face is the lack of a proper channel of communication between the Board and the cybersecurity committee/experts. Whatever the size of the organization or the industry they are in, keeping the Board informed must follow a well-oiled framework.
A few larger organizations have a reporting schedule of once or twice a year where the CISO gets an audience with the Board to explain the wins and losses of their cybersecurity program. Ad hoc discussions are hastily arranged when there is a cyber event.
But with the growing threats and the subsequent need to strengthen compliance and regulations, this might just not be enough.
While the CIO is responsible for the overall IT strategy, the CISO – who reports to the CIO – is specifically responsible for cyber risk reduction. Hence, it is important that the CISO has direct access to the Board where they have the opportunity to present their findings, evaluations, and recommendations without the restrictions of the red tape.
A CISO-to-the-Board access opens up avenues to open discussions and productive dialogues, elevating the CISO from the role of a cybersecurity expert to that of a cybersecurity advisor. It also ensures that the CISO’s responsibility is not just limited to keeping the Board informed on a quarterly or yearly basis but to keep an open and transparent channel active around the year.
On the other hand, the Board must conduct in-depth one-on-one discussions with the CISO on a regular basis to not just stay updated on the organization’s cybersecurity hits and misses but also to understand how the cybersecurity program is progressing.
Keeping the Board informed doesn’t begin and end with reporting or a few ad hoc discussions. To create a cyber capable Board, there must be a committed strategy to communicate efficiently with them. The dedicated cybersecurity committee and the Board must establish a two-way bridge in which the knowledge flow is consistent and transparent.
To ensure that cybersecurity concerns and strategies receive the limelight they need, it is important to establish a regular cadence with the Board. The cybersecurity committee/stakeholders should take special care in communicating the updates in a clear and concise manner. They need to refrain from overusing technical jargon. The Board takes more of a business approach rather than a technical one and hence, any information presented must be from a business perspective.
The inhouse reporting cadence must always include what changed from the previous quarter to the current quarter in terms of the organization’s risk profile.
Regular, comprehensive meetings like these will help the Board have a strong grasp on the cyber landscape, provide them with the necessary know-how to understand the risks, and enable them to make informed decisions on behalf of the organization.
When reporting to the Board, clarity is a key factor. The information presented must be easy to understand, have all the factors needed to take action, and provide recommendations on the way ahead. A few steps that can be included while reporting to the Board are:
Focused board meetings on cybersecurity involving the cybersecurity committee and the Board will give a much-needed one-on-one time between the two parties. During these dedicated sessions, the cybersecurity committee can provide in-depth details on the organization’s cybersecurity posture and whether the strategies are poised to provide the required level of defense against threats.
These workshops can also work as the perfect time to delve deep into new security initiatives, evolving threats, and any recent significant breaches.
The Board can also conduct in-depth one-on-one discussions with the CISO in the absence of a cybersecurity committee.
If the organization is employing the services of a virtual CISO (V-CISO), the Board can have regular interim check-ins with them, rather than waiting for the quarterly update.
These training sessions can be conducted inhouse by the CISO or an external expert can be brought in to provide a broader perspective, unrestricted by the organization’s profile.
As discussed briefly in the previous chapter, encouraging the Board members to take part in cybersecurity webinars and events and networking with peers about the topic will help create an external ecosystem of experts.
Most organizations have ad hoc meetings in the face of unprecedented scenarios, emergency meetings in the event of a cyberattack. The cybersecurity committee and the CISO must be on their toes to evaluate the impact of the attack and work on the mitigating measures. The Board must be kept informed regularly on the progress and the effectiveness of the incident response process.
The cybersecurity committee and the Board must work together to ensure that the organization’s assets are not compromised and no sensitive information is breached.
Once the incident has been neutralized and disaster averted, regular follow-ups must be undertaken on the ongoing remediation efforts. This is where documenting the lessons learned from the cyberattack will add value as they serve as a stepping stone to future resilience plans.
These lessons can be incorporated into the organization’s cybersecurity strategies to ensure the event is not repeated and that the organization is resilient in the face of another attack.
Keeping the Board fully informed on matters of cybersecurity will help to promote transparency, trust, and accountability. And, what’s more, it enables the Board to play the part it is supposed to play – provide cybersecurity oversight and build cyber resilience.
Once they are cyber aware and are fully informed on the cybersecurity landscape of the organization, how does the Board act to fulfil its duties. We will cover this in the next chapter.