Board of Directors are worried. In the last year the landscape for technology in a board meeting has gone from discussions around system implementations and data management to preventing the potential loss of hundreds of millions of dollars in a cyber-breach. Now CEOs, CIOs and Boards are held accountable when data breaches occur. Following the Target breach in 2014, a proxy advisor recommended the replacement of nearly seven out of 10 board members and while not leading to an ouster of the Target board, it illuminated the pressure boards are now under to be proactive in the protection of customer and employee data.
"Today, every company needs a communications and response plan as a form of risk reduction"
What does that mean for the CEO, CIO, and CISO in a public company? Boards are asking questions about the state of cyber security for the first time ever and these positions need to be prepared to discuss not only the current state of their companies’ cyber security, but more importantly the overall risk profile of cyber security within the company. Few executives are equipped to lead a discussion around risk in the context of a cyber-breach today which creates a gap as Public boards want to know what the corporate risk is and how to mitigate that risk over time.
So, how should c-level executives frame the conversation with the Board around risk and cyber-security? Start with the basics and ask yourself some foundational questions.
What does your board care about? Boards care about Revenue, EBITDA, G&A, shareholder return and the corporate governance enabling these. Most importantly they value a year over year improvement in the financials of the company. The board is paid to advise company leadership on strategic direction and to ensure risk is mitigated appropriately, leading to that company growth.
So, what do you do?
Use risk as the center of your discussion.
Create a “risk” rating and a risk dashboard to sum up to your board the following things; where your security program is relative to your industry and to best practice, how interesting your industry and your company is to attackers (does your industry have a higher profile for data exfiltration or media attention?), identify and quantify your risk areas (data loss: customer and employee, business interruption, negative media attention resulting in stock price decline or sales decline, industrial control system failure resulting in disaster.
Next, talk risk reduction. Many board members ask if you are going to be “hacked” your answer should be “yes, eventually”. No company, government body or even person is completely secure (even luddites who live in the woods with no computer or Internet access can have their social security number stolen)
Now that you have gotten the boards attention with all of the industry vulnerabilities and the statement that no company is secure, discuss what you are doing, at the highest level to reduce that risk. Talk in corporate terms not technical. Avoid discussions of tools, systems or software at all costs. Focus on your overall security program, your approach to securing data, and do not forget your response to a breach or security incident. Today, every company needs a communications and response plan. This is a form of risk reduction. Data breaches are, unfortunately becoming more common. Plan for your response. Keep topics like cyber insurance, employee security education and cloud provider data loss mitigation in the conversation with your board (They read magazines just like you do and know all about cloud). Position your security program maturity compared to others in the industry. Are you better, worse or just getting started? A key goal should be to “less interesting” and more difficult to breach than your peers, a competition of sorts. Let the board know that. Your ultimate goal is to reduce overall cyber-security risk and one of the key ways to accomplish this is to reduce your threat footprint and your profile overall.
Use your board conversation to not only discuss cyber risk and the mitigation of that risk, but to ask for the resources you need to mitigate the risk. The board wants to know that you are doing the right things, understand the threats and are on the frontline in working to stay ahead of the emerging threats. Part of your overall roadmap for cyber-security should be to constantly evaluate new people, process, technology and solutions that can enhance your security posture. This should not only be central to your efforts, but should be foundational in your discussion with the board.
Framing a conversation around cyber-security is an evolving task. With cyber breaches becoming a regular news item and boards under pressure to ensure their cyber-security programs are sound; expect this conversation to be a regular part of your board audit committee meeting. Even if this has not been a part of your board meetings to date, you can start now by creating a risk-based, business-language framed conversation with your company and board leadership.