Behind the scenes of most large organisations lies a board of directors. This group of high-caliber individuals - some employed by the organisation, some not so much - are appointed to provide joint oversight of said organisation’s activities, including those related to cybersecurity and compliance (although that may not be apparent).
But recent studies are again showing that security executives such as CISOs and CSOs are not engaged with the Board as often as they should be, which can be detrimental. After all, the Board needs to maintain an overall understanding of the way their organisation and its many departments - including those in cybersecurity and compliance - help keep the lights on and the money flowing.
With growing trends in cross-border data flows and mobile computing, as well as accelerating technology refresh rates, the compliance and cybersecurity conversation needs to happen, and be heard. Let's start talking!
Unlike what you might see on TV, a board of directors is not always sequestered in a dark room plotting daily events. A board generally convenes only for quarterly meetings, or in times of emergency. While board members are often very smart people, they are not necessarily cybersecurity savvy.
It stands to reason, then, that the cybersecurity and compliance teams need a presence at these quarterly meetings. That generally means that the CISO or CSO will attend. Providing a bird’s eye view of the organisational risk posture - and the way forward to consistently improve it - is imperative. This is the only way the board can be sure to make the right decisions on budgets for cybersecurity and compliance initiatives. In addition, financial regulators increasingly want to see processes and policies in place for managing cyber risk. They want to see risk reporting that goes directly through to the board about the possibility of critical information loss, such as trading decisions, client personably identifiable information (PII), or fraudulent transfer of client funds.
The enterprise governance, risk and compliance (or EGRC for short) crew is comprised of the folks with several responsibilities. They develop cybersecurity policies. They plan for business continuity and disaster recovery. They also track organisational cybersecurity risk and ensure compliance with company policy and objectives or industry standards (such as ISO 27001 or PCI).
Understanding the company's greatest risks - pulled from the risk register of an EGRC tool, hopefully - helps the board provide direction. It also helps the board approve and track risk remediation plans laid out by the CISO or CSO. For instance, if an unforeseen risk pops up, perhaps the board will need to allocate some funds to a new tool or resource. If the CISO assigns a risk a high severity and the board agrees, then perhaps cybersecurity - or organisational - project priorities need to be rearranged to reduce risk or enhance compliance.
Outlining your EGRC plans and outcomes for the quarter to your board is great. However, you also need to outline what you’re doing from an operational perspective to help enhance your organisation’s cybersecurity posture.
Is your vulnerability management team reducing the number of critically vulnerable hosts on the network?
Do your endpoint and perimeter protection appliances help enforce compliance to security policies?
Have you had any cybersecurity incidents this quarter? How did the team react?
Has your sensor management team been weeding out false positives using next-generation data analysis?
Is your cybersecurity threat intelligence team sniffing out systems that are out of compliance with company policy while identifying potential indicators of compromise for the latest cybersecurity threats and threat actors?
Having the answers to these questions, as well as the data to back them up and correlate them to various risk and compliance objectives, will work in your favour when meeting with the board. If your cybersecurity operations practice has fended off an attack from a noted threat actor, make sure the board takes note. You want to show that while your cybersecurity efforts are paying off, your organisation is still seen as a potential target by the bad guys.
Outlining strengths, weaknesses, opportunities and threats in a “SWOT analysis” is a great idea when it comes to board-level presentations. It’s always great to show the board that you’re gaining ground in the cybersecurity battle. However, you don’t want to leave out the rest of the detail. When highlighting weaknesses, show that you’ve got plans to bolster your practice to minimise them. Nobody wants to stand in front of the most powerful people in the organisation and fire off a list of ISO 27001 compliance issues with no go-forward plan to fix them. Showcasing opportunities for the organisation via the current cybersecurity practice is a great idea. Perhaps your implementation of the latest next-generation firewall appliance is worthy of a case study. The vendor wants to put your organisation on the main page of its website. This puts your organisation in the limelight as a cybersecurity leader, perhaps drumming up more business.
Next come the threats. This doesn’t necessarily mean cybersecurity threats specifically, but threats to the cybersecurity and compliance practices, or the organisation itself. Perhaps your organisation has just acquired another firm, which puts your organisation’s data at risk unless better cybersecurity controls are implemented on the acquiree’s network. Laying out a solid threat and the mitigation plan to the board is imperative.
Being able to measure the key aspects of your cybersecurity and compliance practices and explain these measurements to the board is paramount. You need to understand your operational cybersecurity metrics. These might include the number of critically vulnerable hosts over time, time to contain cybersecurity incidents, or successful phishing attempts.
You also need to get a handle on governance, risk and compliance metrics such as number of users out of compliance (who hasn’t taken security awareness training?), tasks remaining for projects specific to ISO, PCI, or SOX compliance initiatives, or oldest critical risk in the risk register. Measuring your cybersecurity and compliance practices provides a way to track, manage and display results. Showing off a timeline that highlights a 30% dip in critical vulnerabilities and a 22% increase in security awareness compliance over the past three months is a great way to show the board that you know what you’re doing. Remember to use metrics to help outline the weaknesses, opportunities and threats as well.
Much like “the Force”, your organisation’s board of directors can be your greatest weapon, or your own demise, depending on how you use it. If you provide regular, accurate SWOT analyses on your cybersecurity and compliance practices, as well as the metrics to back them up, the board will be your guide. It will provide you with the power you need to bolster your cybersecurity defences and maintain compliance to industry standards for your sector. If you use deception based on fear of consequences, you’re likely to see the dark side of the board … and get fired. Ensure that the board is updated regularly, quarterly at least, to help them understand your initiatives and engage in providing you constructive feedback, potential alternative solutions, or large-scale insights.
Now, go forth, provide accurate data to the board, create relevant business cases to help cybersecurity and compliance initiatives to safeguard your activities, and may the board be with you!
Being able to demonstrate robust security to the board is part of any effective cybersecurity posture - and ZoneFox can support your team to do that.
Underpinned by Machine Learning and AI technology, ZoneFox provides total data visibility, delivering the Who, What, Where, When and How when it comes to your organisation’s sensitive data. The result? You’re armed with the critical information need to protect your organisation, your business-critical data and your reputation.