Learn how to build a top-down cyber governance structure that can flexibly adapt to changing business needs.
The Northern District of California’s approval of the proposed $117.5M settlement to resolve the claims of approximately 194 million class members whose data was pilfered in the infamous Yahoo hack again casts a spotlight on board cyber risk oversight responsibilities.
But despite numerous high-profile data breaches pointing to lapses in governance as the major root cause, most cyber leaders still make the strategic mistake of disproportionately allocating their limited budgets towards fancy technologies while paying scant heed to the tone at the top.
In our experience training hundreds of CISOs and cyber leaders via our flagship Cyber Leadership Program, a critical insight has emerged: Cyber resilient enterprises acknowledge that board oversight and c-suite leadership are essential to driving transformational change. Their most senior business officers and the board of directors provide unwavering support for cybersecurity programs. They role model expected behaviours and uphold the virtues of their cyber risk appetite. They embed cyber risk governance into the bloodstream of their enterprises, making it an inevitable and inconspicuous part of strategic and operational decision making, and, as a result, foster transparency and accountability.
THE RISING IMPERATIVE
The number one driver for tightening pressure on the boards to do the right thing is the soaring cost of cyber crime, now estimated by Cybersecurity Ventures to topple $10.5 trillion by 2025. As high-impact data breaches wipe shareholder value and damage respected brands, customers, business partners, and shareholders are expecting more.
Governments are also scrambling to close legal loopholes, making it clear that boards are ultimately responsible for cybersecurity. The federal government in Australia is drafting regulations to make directors personally responsible for attacks. This builds on the 2018 mandatory data breaching reporting law. While the USA still lacks a comprehensive federal cyber law, many states have their own laws making nationwide business difficult. Two bills signed into law in June 2022, however, aim to bolster the federal cyber workforce and promote collaboration across all levels of government. Meanwhile, the EU introduced the cybersecurity act in 2019, aiming to give ENISA a permanent mandate and to establish a European cybersecurity certification framework to assist individuals and organizations in assessing cyber risks.
As pressure grows on the board to take responsibility, a significant problem remains. Most corporate directors still find cybersecurity highly cryptic and existing frameworks tedious and continue to act reactively rather than proactively. Perhaps unsurprisingly, a 2021 report by Accenture found over 90% of CEOs and CFOs still think cybersecurity is an IT issue. PwC’s 2022 Digital Insights Survey revealed that while CEOs score themselves as proactive in cybersecurity measures, their executive counterparts measure CEOs as reactive.
In the next section, we provide some practical recommendations to help CISOs close this expectations gap.
SIMPLIFY THE MESSAGE
If cyber leaders want a highly engaged board, they need to simplify the message, discard technical jargon, and speak in the language of the business. Board members have limited time. Avoid complex reports and vain metrics that don’t tell the board anything useful. Effective CISOs are able to seamlessly tie cyber risk to new product success, business growth, the cost of capital, innovation, customer trust, profitability, and other crucial business priorities. That way, they can create a shared sense of purpose and position cyber risk as a strategic business enabler, not a necessary evil.
Doing so requires:
- Linking cyber risk to corporate objectives through developing an in-depth understanding of business operations, value chain, strategic priorities, risk appetite and regulatory environment.
- Sharpening story-telling skills to persuade the board and executive management to act. Risk maps and detailed metrics are not enough; sustained governance requires CISOs to simplify cyber risk in business terms, enlisting board and executive support.
- Ensuring executives role model expected behaviours, participate in cyber drills and hold personnel accountable for maintaining robust cybersecurity controls.
- Embedding cybersecurity into vital business processes, such as product development, digital transformation, or acquisitions.
ESTABLISH A CYBER-RISK GOVERNANCE COMMITTEE
Underpinning any cyber resilient environment is a strong governance framework. To that end, the board should establish a dedicated cyber risk committee comprised of senior business, technology and risk executives tasked with ensuring the business maintains strong defenses against current and emerging cybersecurity threats. They should also ensure that the business is not exposed to risks outside its determined risk tolerances. The cyber risk committee should be chaired by the Chief Information Security Officer (CISO). Acceptance of this responsibility by the CISO naturally elevates this critical role within the business. Senior business officers, such as the Chief Executive Officer, Chief Information Officer, General Counsel, Public Relations Officer, Chief Customer Officer, Chief Operations Officer and Chief Financial Officer, should all be part of the cyber risk committee.
The Cyber Resilience Governance Playbook provides detailed information regarding the establishment of a cyber risk governance committee and their responsibilities, including the importance of establishing a forum.
ENCOURAGE DEEPER BOARD-LEVEL CYBERSECURITY CONVERSATIONS
Despite the importance of technology to corporate strategies, most board members still lack technology experience. However, effective cyber risk requires the board to challenge the adequacy of risk measures against business appetite and business strategy.
To have a good grasp of the enterprise cyber risk posture, the board needs to ask some important questions:
- What are our high-risk information assets, and do they have appropriate cybersecurity defenses? (For example, are they running on vendor-supported infrastructure updated with the latest security patches?)
- What are our current cybersecurity strategic initiatives and how do they support the overall mission? Are they aligned with enterprise goals to account for current and future needs?
- How effective are our cyber breach response capabilities and have they been tested?
- What are the top data breaches and other cyber attacks in our industry and how has the business applied lessons learned from those incidents?
- How do our cybersecurity capabilities compare with industry standards or our peers, and have those capabilities been independently verified?
- Is the business prepared to promptly detect and respond to data breaches to minimize downstream implications to customers?
To further complement governance, the board should consider inviting management consultants to offer insight into how similar enterprises are tackling cyber threats and regulation changes and provide spending guidance. These consultants should present their insights to the board in the presence of the CISO to create open relationships of trust and ensure the CISO is abreast of industry standards.
The board should develop a positive but skeptical attitude when interacting with management, as management may be inherently biased to overstate the effectiveness of controls and downplay the organization’s vulnerabilities, especially when management incentives are tied to cyber risk metrics.
TEST AND REFINE
No matter how good a cyber resilience framework is, it’s bound to get better if it is regularly tested and refined. The board has a responsibility for ensuring that a comprehensive cyber crisis management plan is in place and response capabilities are regularly tested against high-impact scenarios. Stress testing cyber response capabilities in controlled environments validates key assumptions, uncovers defective procedures, and clarifies key responsibilities — reinforcing muscle memory and instilling business confidence.
Furthermore, cyber scenario drills answer some important questions:
- Who makes critical decisions during a cyber crisis event, such as paying ransom if vital business files are rendered inaccessible without up-to-date backups?
- Which business functions are a priority if IT resources are significantly constrained by a cyber attack?
- Does the organization have up-to-date, offline backups to recover essential business processes if production systems are rendered inoperable or corrupted?
Furthermore, the CISO should maintain a comprehensive cybersecurity assurance calendar to assess the ongoing effectiveness of critical preventative, detective, response, and recovery controls. This includes ransomware defense readiness, threat hunting, a deep-dive crown jewel controls review, and red teaming.
CLEARLY ARTICULATE YOUR CYBER RISK APPETITE
Enterprises thrive by taking measured business risks, but stumble if these risks are not clearly understood and effectively managed. Business leaders are constantly making intelligent trade-offs between how much risk they are willing to take in pursuit of enterprise goals.
A clearly articulated cyber risk appetite statement — a formal articulation of the organization’s willingness to accept cyber risk — is a vital tool to enable an enterprise to make critical decisions faster without exposing the organization to risks beyond its capital capacity. The cyber risk governance committee should formulate the cyber risk appetite, and the board should ratify it, at a minimum, annually.
An effective cyber risk appetite is one that all employees clearly understand, is actionable, measurable, and supported by clear roles and responsibilities. The board of directors have ultimate responsibility to ratify the cyber risk appetite, ensuring it supports the enterprise’s objective and doesn’t constrain innovation. This necessity was emphasized by a report by the Senior Supervisors Group, which stated, ‘The board of directors should ensure that senior management establishes strong accountability structures to translate the RAF [risk appetite statement] into clear incentives and constraints for business lines.’
Most cyber risk appetite statements, however, are vague and don’t provide any meaningful guidance to operational teams. For instance, a cyber risk appetite that states that the enterprise has a low-risk appetite for the loss of its business and customer data only stimulates boredom.
When formulating the enterprise’s cyber risk appetite, business leaders should be guided by two factors:
- The enterprise’s capacity to absorb the accepted risks should they materialize, and
- Its enterprise mission.
An effective cyber risk appetite is also tightly linked to an organization’s high-value digital assets and takes into consideration external obligations to customers, investors, shareholders, and regulators.
For practical examples illustrating various cyber risk appetites, refer to page 17 of the Cyber Resilience Governance Playbook.
Technology, cyber risk, and the business environment are all evolving at breathtaking speed. An enterprise cyber risk appetite statement should therefore be constantly tightened or relaxed in line with evolving circumstances.
BOARD CYBER RISK METRICS
A good set of cyber resilience metrics or key performance indicators are an effective way to track, measure, and analyze the cyber health of the organization. They establish a consistent mechanism to gauge management’s commitment to cyber resilience, reinforcing discipline and accountability. For them to be valuable to the board, cyber risk metrics should refrain from reporting on vain measures whose aim is to arouse emotions without driving real change. For example, telling the board that the cybersecurity team stopped 7 million spam emails last month does not provide any value. Advising the board, however, that the organization is running outdated email threat prevention technologies will prompt them to fund the modernization of cybersecurity capabilities.
CISOs, working collaboratively with senior business stakeholders, should define a set of cyber KRIs to achieve the following five objectives at a minimum:
- Provide timely cyber risk information to senior executives and the board, helping them redirect resources towards areas of the greatest concern.
- Act as an early warning sign, informing key decision-makers of what is likely to go wrong.
- Prompt management action to dig root causes and take corrective action before the negative consequences materialize.
- Provide feedback by demonstrating the operating effectiveness of critical controls.
- Enable benchmarking of capabilities and transfer lessons learnt from one business unit to the other.
There are some guiding principles to help CISOs develop insightful cyber risk metrics:
- Key Risk Indicators (KRIs) must be identifiable pieces of information that are indicators or proxies of the current or potential level of key risk. More often, they relate to current active risk which may not have negatively impacted the enterprise yet.
- A good set of KRIs should maintain the right balance between negative events that may happen (leading KRIs) or risks whose impacts have materialized (lagging KRIs). Leading KRIs are generally more valuable as indicators of potential risks than lagging KRIs, especially at senior levels. So, at the board level, you would typically focus on leading KRIs.
- By focusing on key risks (not the entire risk universe), the CISO will drive deeper and quality board conversation towards the most critical risks. Your KRIs should, therefore, largely align with your active cyber risk profile.
- The KRI must tie strongly to the risk being tracked. Or, to put it differently, a change in the KRI should correspond to a shift in risk profile.
- KRIs should be actionable. Any KRI outside tolerance must drive concrete management actions with c-level accountability.
- KRIs should ideally be objectively measurable and fact-based. Randomly assigning traffic light colours wastes the board’s precious time.
- KRIs should be able to be collected from current management processes, i.e. you should report the metrics that management is using already to manage a process, not blindly dump a set of main metrics evangelized as “best practice”).
Now that we have established a solid foundation to build cyber key risk indicators, how do you bring them to life? There are four key steps:
- Identify your top cyber risks, ideally starting from your active cyber risk profile. For each key risk, identify a set of potential KRIs. Note that some KRIs will relate to multiple risks and vice versa.
- Map the KRIs to your selected control framework (e.g. NIST) to assess whether you have balance in your selection of KRIs and coverage across the key domains (e.g. Protect, Detect, Respond, Recover).
- KRIs are dynamic, so start with metrics with existing data and beef them up as reliable data becomes available.
- Agree on the frequency of reporting with key stakeholders and align that with key risk management reporting dates.
The effective cyber KRIs give the board deep insight into the effectiveness of key controls. The CISO must, therefore, inform the board, via brief and clear commentary, of current management initiatives to address measures that are outside of tolerance, including specific target dates. Metrics identified as unacceptable should be accompanied by a brief commentary articulating the plausible business impacts, the likelihood of the risk materializing and existing compensating controls, if any. The Compelling Board Cyber Risk Reporting Playbook provides an illustrative example to demonstrate these essentials.
Cybersecurity governance is the link between the IT enterprise of the cybersecurity function and the business. It’s important to take governance seriously and not get mired in the day-to-day operations or technical aspects of cybersecurity which is a common pitfall for many new CISOs. Cyber resilience governance measures, such as those outlined above, can assist the CISO in building a robust, cyber resilient organization.
Despite the billions of dollars invested in cybersecurity solutions every year, not much has changed. Cyber criminals keep outsmarting enterprises — pilfering billions of sensitive records, manipulating stock markets, stealing trade secrets and committing several other egregious acts.
It’s become clear that change driven solely by technology will not suffice; real transformation needs to start up higher, with the board holding management accountable for maintaining strong cyber defense and response measures. Precedents are being set globally that undeniably demonstrate cyber governance is the board’s responsibility, and failing to understand this could lead to devastating cyber breaches and litigation from shareholders and consumers, damaging businesses beyond repair.
Phil is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the Amazon best selling author of The Five Anchors of Cyber Leadership, a practical cyber strategy book for senior business leaders. 2017 winner of ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS Audit, control and security.