cybersecurity risk management

Board Members: It’s About Business Risk, and It’s Here to Stay

With cybersecurity rapidly climbing up the list of strategic challenges for business executives and board members, it’s easy to get confused by techno-jargon and assume that IT and security professionals have cornered the market on knowledge in this area. But that’s missing the point: Cybersecurity is really just another form of risk management.

“You can choose or not choose to make it part of your enterprise risk management heat map, but you should be honest with yourself and reserve a spot for it forever,” stressed Palo Alto Networks CEO Mark McLaughlin. “It’s here to stay as a business risk.”

The board member roundtable—co-hosted by global talent advisory firm Egon Zehnder—focused extensively on finding ways to help board members play the most appropriate role possible in helping their organizations combat the threat and impact of cybersecurity. “It should be discussed, planned, and accounted for at the highest levels of the organization,” said McLaughlin. “In order to move the business forward, cybersecurity is a critical enterprise risk management issue in order to remain competitive. In fact, it’s impossible to have digital transformation without security.”

McLaughlin and other hosts led the discussion around three major areas:

  •  Questions board members should ask about cybersecurity and new metrics to consider in assessing the efficacy of a company’s security program.
  • Common pitfalls board members face when engaging the management team on cybersecurity issues.
  • How visionary and forward-thinking boards address and oversee cybersecurity.

Questions to ask and new metrics to consider

McLaughlin—who in addition to his role of CEO and board member at Palo Alto Networks is also a board member at Qualcomm—probed roundtable participants on the key questions they need answers to from their CISOs and new metrics to consider. These included:

Question: How do we get quality data?

Answer: You need to be doing constant pressure testing. Your teams should be running tests regularly, and using third parties from time to time to make sure your organization doesn’t know a test is running.

Question: How do you balance agility and security?

Answer: We can innovate quickly even when building in more security protections. It often results in a healthy tension, but we need to make sure we’re not focusing on innovation to the detriment of sound security practices. They need to take place together.

Question: How should we look at staffing resources with increased cybersecurity risk?

Answer: You want automation to take care of most of the attacks, and have your people work on the rest. The battle is with software and automation is key.

Question: What are the questions our CISO must be prepared to answer?

Answer: They need to know how many attacks—and of which varieties—they are seeing. They also must be able to quantify their confidence level in spotting and stopping these attacks, and to talk about the trendlines as the attack vectors change. They also need to have a handle on the number of people are associated with addressing these risks: If that number isn’t getting smaller, then the CISO doesn’t know what the problem is and how to achieve success in addressing it.

Common pitfalls for board members

One of the most fundamental issues for board members is to get over any discomfort they may feel in lacking cybersecurity domain expertise or relevant experience in the field. That means board members must be prepared to demand—if necessary—that technical executives talk to them about problems in a business context. “If your CISO is talking technology details in the boardroom, fire them,” he said. “You wouldn’t have your CFO asking you how they should run their financial modeling.”

Board members also should pay attention to the organization’s business processes—without getting too deep into the details—in order to ensure that those processes aren’t introducing new risks. “You can do everything right from a planning standpoint,” said McLaughlin. “But if your processes aren’t there, you’ve got problems no matter how great the technology. Imagine if a CFO gets a note from  CEO asking to transfer money. If there’s no process to review the context of the request and ensure it meets governance, legal and compliance standards,  they may just transfer the money.”

Today’s visionary board profile

One thing that some organizations have considered is whether a cybersecurity expert should be part of the board makeup. Jon Carter, senior partner in Egon Zehnder’s global Technology & Communications practice, raised that key point with board members, adding that an alternative option may be to use outside consultants to advise the board on cybersecurity.

But McLaughlin and others said that level of specialization should not be necessary, as long as at least some of the board members are technologically savvy and are familiar with cybersecurity at least at a high level. “If you have a technologist on the board, that should be good enough,” he said.

Instead, McLaughlin and consultants at Egon Zehnder stressed today’s more progressive boards have established a separate, standing committee on cybersecurity, apart from the audit committee. Plus, they added, it’s important to get a mix of people on that committee because you need multiple points of view stemming from different areas of competence, not just. IT.

Forward-thinking boards also need to find a way to bridge the gap between what the board needs and what the cybersecurity professionals are telling them. “We have to get out of the ‘everything is fine’ type of answers we’ve been hearing and accepting for the past few years,” said one board member. “The questions we’re asking are getting better, but the answers are not.”

Bottom line: From a board member’s perspective, it’s vital to view cybersecurity as part of the same enterprise risk management framework that is used to evaluate traditional business risks. “You should be honest with yourself and make sure it occupies a key place on the risk management agenda,” said McLaughlin. “It’s here to stay as a business risk.”