Voices from Validate: Bridging the Gap – Communicating Security Risk to the Board

SafeBreach recently held its second annual Validate Summit at The Star in Frisco, Texas, where SafeBreach customers, cybersecurity experts, and influencers explored how enterprises can stay ahead of risk and safeguard their critical business assets from inevitable cyberattacks by implementing proactive security practices. One hot topic was communicating security risk to the board.

Communicating security risk to the board:

In this first edition of Voices from Validate, panelists shared recommendations for overcoming the communications gap when discussing security risk at the board level.  They explained why building a strategy that connects business impact to security risk is a critical step in protecting an organization.

SafeBreach CEO and cofounder Guy Bejerano moderated the panel discussion, Bridging the Gap – Communicating Security Risk to the Board. An esteemed group of panelists joined him with more than 50 years of industry experience. These public and private sector experts are currently working for or have previously advised many of the largest companies in the U.S. They include:

• Sherry Ryan, former Fortune 20 CISO, Juniper Networks
• Patrick Benoit, CISO, Brinks
• Mick Brons, manager, Cyber Security Assurance, the Southern Company

The role of the security function at the board level:

The conversation started with a discussion of the role of the security function at the board level. The panelists emphasized that the board’s focus is on governance and providing oversight, not just for cybersecurity, but also for overall risk management within the business. Although cybersecurity is widely acknowledged by C-suites and boards of directors as a critical business risk, communicating the impact of a company’s security program to nontechnical stakeholders remains challenging. 

The CISO’s role is to provide the board with periodic updates on emerging risks and demonstrate progress in addressing existing gaps. The panelists agreed that CISOS must present relevant cybersecurity information to the board in a way that gives them confidence in the organization’s risk management practices. Sherry Ryan, a former Fortune 20 CISO with many organizations, including Juniper Networks, emphasized the importance of maintaining a continuous conversation with the board to avoid overwhelming board members with new information each quarter. Instead of presenting new information each quarter, a CISO should build on the previous discussion by providing updates on ongoing initiatives, progress made, and future plans to address risks.

Patrick Benoit, CISO at Brinks, also advised, “slow your roll,” as it is crucial to be mindful and avoid overwhelming boards with too much information all at once. Instead, it is essential to guide them gradually toward understanding the security landscape. A strategy he has been exploring involves shifting the conversation towards focusing on the effectiveness of controls rather than solely presenting statistics. This approach helps the board to grasp the impact of security measures and how such measures contribute to the overall protection of the organization. By emphasizing the effectiveness of controls, CISOs can create a more meaningful and actionable dialogue with board members.

The increasing importance of cybersecurity expertise on boards:

A significant shift in the board’s expectations was discussed, with an increasing emphasis on having cybersecurity expertise among directors. As highlighted in their recent requirements, the Securities and Exchange Commission (SEC) has started scrutinizing boards’ cybersecurity expertise, which is becoming a key consideration for companies.

Ryan discussed that most companies actually lack board-level cybersecurity experience, which is causing an extra burden on today’s CISO. Roughly 90 percent of Russell 3,000 companies do not have directors with board-level cyber experience. The Fortune 100 is somewhat prepared, with 51 percent of companies having at least one director with cyber acumen.

The impact of regulatory requirements: 

During the discussion, there was a consensus that while regulatory requirements can influence security practices in specific industries, the primary focus should be on aligning security measures with the business’s strategic objectives. Understanding the driving forces behind the organization and integrating security as a catalyst for growth and revenue generation is paramount.

Mick Brons, manager of cybersecurity assurance at Southern Company, one of the world’s largest gas and electric utility companies and a critical infrastructure provider shared his perspective on regulation in the context of the convergence between IT (information technology) and OT (operational technology). He highlighted that a few years ago, cyberattacks on OT systems were mostly theoretical, except for the 2015 attacks on Ukrainian power stations. However, more recent incidents, such as the 2021 Colonial Pipeline and JBS Foods ransomware attacks, have garnered global attention. Brons suggested leveraging such high-profile incidents to spark discussions and reinforce the strategic direction of a CISO’s security program.

Ryan also emphasized the importance of companies understanding the specific framework they operate under, whether it’s NIST, PCI-DSS, or other standards. As regulatory requirements vary across industries, Ryan suggested that CISOs must be aware of who they answer to regarding compliance issues so they can make informed decisions about the most suitable framework for their organization.

On the other hand, Benoit issued a word of caution regarding the increase in cyber regulation. While more regulations may appear beneficial for security, such regulations can also lead to a higher demand for resources. The risk is that funding might get diverted from protecting networks to focus on proving compliance with regulations. Striking a balance between meeting regulatory requirements and maintaining effective security measures is essential for the success of any cybersecurity program.

Leveraging data for business insights:

The panelists delved into the importance of moving beyond mere statistics and demonstrating the effectiveness of security controls to the board. They suggest focusing on metrics highlighting the timing and impact of critical vulnerabilities and controls. For instance, rather than emphasizing a high patching percentage, they should share the speed and effectiveness of patching critical vulnerabilities. The panelists believe that this shift in conversation to impact can help board members grasp the significance of security controls in mitigating risks.

Ryan also emphasized the need for CISOs to have a security preparedness roadmap to address emerging threats. She said that if a roadmap doesn’t exist, it’s necessary to build one, and that CISOs need to paint a “security posture” picture for the board that includes a plan for addressing known security risks and potential future risks.

The discussion continued with insights into how cybersecurity leaders can leverage data and information from day-to-day operations to provide business insights to the board. Brons shared an example of using SafeBreach results for ransomware strains to visualize attack kill chains. This approach helps the board understand the organization’s effectiveness in defending against ransomware attacks and prompts discussions on investments in security tools and visibility in operational technology (OT) environments.

Life on the front lines, building relationships with board members:

The speakers shared valuable best practices to improve interactions and conversations with directors. Guy Berejani, CEO and co-founder of SafeBreach and the panel moderator, highlighted the importance of merging business and security discussions at the director level, acknowledging its significance in mitigating threats and reducing overall business risk. He advised understanding the perspective of each director and refraining from delving too deeply into technical details unless prompted.

Benoit emphasized two critical motivations for CISOs to focus on business-related aspects when engaging with directors:

1. Collaborating with their teams to mitigate risks and improve the company’s security posture within acceptable limits.
2. Finding ways to leverage security to enhance and drive revenue growth.

Neglecting these aspects would mean missing essential opportunities for meaningful board interactions.

Ryan recommended that CISOs enhance their ability to anticipate directors’ questions during quarterly board meetings. It was also suggested that they consider how directors will receive updates and ensure that presentations align with the company’s business objectives, avoiding any tendency to oversell.

Brons advised CISOs to prepare for each meeting, leaving every aspect addressed thoroughly. He noted that they should assess how security can enable various ideas, programs, and initiatives within the company. Additionally, CISOs should be ready to discuss security takeaways and how they can facilitate smoother and more efficient implementation of initiatives. By following these practices, CISOs can establish compelling and productive interactions with board members.

Communicating security risk to the board – looking to the future:

Sixty-two percent of CISOs are now seeing eye-to-eye with their boards on cybersecurity issues, which, according to Proofpoint, is an increase of nearly 22 percent from last year. While most CISOs still face daily challenges and unpredictability ahead, there is reason for optimism, given the tighter working relationship they are experiencing with their boards. With proper planning and a clearly articulated business plan, today’s CISO can overcome many hurdles and find balance and acceptance. The panel covered a lot, so here are some of our favorite takeaways around how to communicate security risk to the board:

• Make sure your security measures are aligned with what’s essential to the business.
• Get the board up-to-speed on emerging threats and any lessons learned by companies that have been previously victimized.
• Build a baseline and show your program’s impact or gaps with plans to resolve them.
• Leverage high-profile incidents to spark discussions and reinforce the strategic direction of a CISO’s security program.
• Understand the perspective of each director and refrain from delving too deeply into technical details unless prompted.
• “Slow your roll”—do not share too much information simultaneously.
• Share a simple security preparedness roadmap to address emerging threats. If a roadmap doesn’t exist, build one to paint a “security posture” picture for the board, including a plan for addressing known and potential risks.
• Instead of presenting new information each quarter, a CISO should build on the previous discussion by providing updates on ongoing initiatives, progress made, and plans to address risks.
• Use visualizations in communicating complex cybersecurity concepts to the board.
• Shifting in conversation from efficiency to effectiveness can help board members grasp the significance of security controls in mitigating risks.
• Communicate between quarterly meetings because a lot can happen between those meetings.
• Don’t be afraid to share what happens if you don’t invest.

Improving communications between directors and executive leadership is a pressing issue for many. Obviously, every board and stakeholder has different levels of comprehension around your enterprises security. Regardless, a consistent framework for communicating is key. To learn more about breach and attack simulation and how SafeBreach can help provide you the insight to simplify communicating security risk to the board, we invite you to schedule a demo.