7 steps to prepare your board for cybersecurity risks and regulations
“Engagement on this topic from the board is just vital, just like you see on other crucial risks.”
-Google Cloud CISO Phil Venables
Growing cyberthreats and new rules on cyber disclosures — including those recently passed by the SEC — are putting pressure on boards, CIOs and CISOs alike to keep an eye on the landscape and stay ahead of change.
What trends and risks are top-of-mind? What can organizations do to keep themselves cyber-ready?
A webinar led by Google Cloud CISO Phil Venables earlier this year brought together different perspectives from all sides of governance and technology. Venables joined Diligent board member Betsy Atkins, Mandiant CEO Kevin Mandia and Diligent CEO Brian Stafford to share their thoughts on how boards can navigate an increasingly complex cyber landscape.
How boards can stay ahead of emerging risks and regulations
1. Give cyber dedicated attention at the committee level
Cybersecurity today is too important to leave for periodic meetings of the full board. Just like finance, compensation and audit, it deserves committee attention throughout the year.
“Taking cyber and putting it in a dedicated location with focus is really important,” said Atkins. “If you look at the Fortune 500 companies, 12% of them have a tech committee now.”
If your board isn’t open to forming a new committee, solutions can be found in its existing structure. “Look at the governance committee,” Atkins advised. “The workload and the remit are light, and they have capacity.”
2. Strengthen your board’s cyber expertise
How well does your board understand cybersecurity standards like the NIST framework and the policies and the procedures behind them? Are they conversant with and ready for the new SEC rule on cybersecurity disclosures?
“We can only expect a lot more scrutiny. So, it's going to be important that you're actually doing cyber briefings to the board and that you're engaging in this,” Atkins said. “You need to have at least two cyber certified board members."
One way to strengthen your board's expertise is by making IT and InfoSec leadership part of the board itself.
“As a board, you have to seriously take a look at and say, 'Do I need to add a CIO or a CISO?'” Stafford said.
Whatever the case, Atkins explained, “When you get a core of people who really understand [cyber], then they're able to do better oversight, they're better able to understand risks a little more in depth.”
Likewise, Venables urged leaders not to be intimated by the technological aspects of cybersecurity.
“Treat this as a first-class business risk and do not get frightened by the technical complexities, because there are many other complex business risks we all deal with,” he said.
Additionally, board members and executives looking to enhance their cybersecurity knowledge and skills can enroll in the Diligent Cyber Risk & Strategy Certification course. The course leverages exclusive interactive eLearning content and tabletop exercises to help directors improve their oversight of enterprise-wide cyber risks.
3. Actively engage with the internal security team
Equipped with this tech expertise, boards are able to really work with the CISO and the IT team, and provide the level of oversight needed to keep the organization safe.
The panelists encouraged such active engagement. Stafford believes that with their internal security team standing in front of the board, giving them a lay of the land and a snapshot of risk and security, “Board members will feel better as they deepen their understanding of what the next order of questions are.”
“That degree of engagement [from the board] is just vital, just like you see on other crucial risks," added Venables.
4. Make risk and readiness central to cyber discussions
How good are we at security? How resilient are we? What is our risk?
According to Mandia, these are the top three questions boards in any industry should be asking themselves about cyber risk.
Red team and purple team exercises can help answer these questions. “Emulate the threats, shoot the bullets at your network and see how you do,” he advised. “You just want to be able to do it in a safe way so it doesn't disrupt business.”
Take a look at resilience as well. “Can you operate your business off the internet? I've seen a lot of businesses fail to some extent during a cyber breach because they couldn't operate the old-fashioned way — manually,” Mandia said.
Conduct tabletop exercises — real-world simulations of potential events — at least once a year. And when presenting to the board, InfoSec leaders should use a risk-based framework that covers:
- Which threats the team is worried about
- What’s being done to mitigate those threats
- How you're testing to see if those threats can become a reality
5. Include mergers, acquisitions and the supply chain in risk oversight
“Pretty much every organization now is dependent ever more on their physical and digital supply chain,” Venables said. “I see a lot of boards not connecting the risks between their third-party and sometimes even fourth- and fifth-party risk assessments with their procurement team and their risk team and their security team.”
“The supply chain is one of the most vulnerable areas," Atkins noted, adding that it isn't the only vulnerability. "About 40% of breaches come through the supply chain. M&A is another area. You buy a small company, and they haven't got the [right level of] cyber protection.” Probe and ask questions, she advised.
6. Keep an eye on cyber basics
Effective cyber oversight also includes taking a good look at the organization’s practices and processes:
- Does relevant, up-to-date cyber training exist for all company employees?
- Is this training getting administered and tracked in a timely fashion?
- How well are cyber teams and the board implementing and adopting cutting-edge tools for cyber protection?
“Staying ahead of things really comes down to you as a board member knowing the right questions to ask,” Stafford said.
7. Make third-party support business as usual
A third-party cyber firm, such as a managed services provider, can provide valuable support for your internal CISO team, panelists concluded. One who tells you about the attacks and backs up your own CISO organization is a net positive.
Sometimes familiarity is a good thing, but ultimately, you want to simulate different adversaries in exercises like tabletop scenarios.
Once brought in, evaluate these resources regularly. Stafford advised boards to consider: “Are you using the right external cyber penetration vendors, and do you have the right experts to come in to the board and actually go and kick the tires?”
That being said, “Do not abdicate your decision-making to the outside experts,” Atkins emphasized. “You're there as a director. It's up to you to make the business judgment and make that call.”
For more guidance on how your board can sharpen its cyber governance — in areas ranging from materiality to proxy season to the NIST framework — download this white paper authored by Atkins, or watch a replay of the full webinar. Enroll in the Diligent Cyber Risk & Strategy Certification course today.