Under Pressure - Boards Pressed to Govern Cyber Risk
Once relegated to their IT departments, the concern about cyber incidents that can shut-down business operations and put people's lives at risk has caused executives and boards to play a more active role in overseeing their organizations' cyber risk.
Even the smallest lapse in security can lead to prolonged business disruptions and lead to a variety of legal and regulatory issues. It has gotten the attention of both executives and boards. A 2018 survey of CIOs conducted by HarveyNash/KPMG, found that board interest in cyber had increased by 23%, while only one-fifth (22%) felt they are well prepared for a cyber attack.
In addition to the internal drivers pushing boards to improve their oversight of cyber risk, there is growing regulatory pressure that could require some boards to include cybersecurity expertise. Regulators such as SEC chairman Robert Jackson's are recommending that boards ensure "internal controls, policies, and procedures that make sure that information on the ground in the company, about any cyber issues, makes its way up to the c-suite and the boardroom..."
Most boards rely on one or more sources for risk information. The often-used Three Lines of Defense model attempts to provide a structure that ensures adequate reporting of independence and transparency. It does this clarifying the roles and responsibilities across the various risk management functions, which include IT, Information Security, and Privacy (the 1st Line of Defense), Enterprise Risk and Compliance (the 2nd Line of Defense), and Internal Audit (the 3rd Line of Defense).
While the Three Lines of Defense and the many other risk management frameworks are useful, they lack specifics on the types of information needed for boards to provide adequate oversight and ensure the enterprise's current and future viability, mission, and strategic objectives.
Information from From The Front Lines
One of the challenges we see is the type of information that IT and security leaders report is often very operational and overly technical.
A 2016 report from Osterman Research provided the results of a survey they conducted of corporate board members. They found that just over half (54%) felt that information that IT and security leaders were too technical, and usually included:
- A complete list of vulnerabilities within the organization
- Details on data loss
- Downtime caused by data breach incidents
The same survey found that 85% of board members felt IT and security executives need to improve the way they reported to the board.
Another survey of CEOs and boards conducted by Deloitte and published in 2018 stated, "cyber risk reports often focus on technical details and technological risks. Yet CEOs and board members could benefit from—and be more engaged by—cyber risk reporting and assurance that focus more on business risks and impacts."
The Deloitte report also found that 81% of IT and security executives report they employ manually compiled spreadsheets to report data to the board.
Crossing the Communication Chasm - Overcoming The Language Barrier
In a recent Wall Street Journal article, enterprise risk management expert and E-Trade board member James Lam warned technology and security leaders about presenting "silly" metrics to their boards. He also said, "...too many chief information security officers and chief information officers go to board meetings lacking perspective about how cyber risk is but one factor to be weighed in overall corporate strategy...CISOs and business executives should go beyond seeing cyber risks in technical terms and weigh the risk of, say, a data breach against the opportunity in a given digital endeavor for adding customers or increasing revenue."
The 2016 Osterman Research study concluded that "As cybersecurity takes a new priority in the C-suite, it has led to more attention from the board of directors. IT and security executives are expected to report cyber risk metrics to the board that enables them to make informed decisions." Based on our findings, the top three items the board wants from IT and security executives are:
- Reports with understandable language that do not require board members to be cyber experts
- Quantitative information about cyber risks
- Progress that has been and is being made to address the company's cybersecurity risk
RiSO - A Governance Reporting Framework
Unlike the fields of accounting and finance, which have well established reporting tools such as balance sheets and income statements, cyber security does not have have any formal reporting guidelines and standards. As a result, organizational security leaders are left to figure out what to report to their boards on their own through trial and error. To help address this we have developed a reporting framework that provides a simple, yet powerful structure that is intended to help security leaders provide more comprehensive reports, thus improving communication and transparency between cyber security leaders and their boards.
Risk, Strategy, and Operations (RiSO)
The RiSO framework provides security leaders with a reporting and communication structure that provides boards with a more comprehensive view of an organization's cyber security program. The three perspectives are: Risk, Strategy and Operations. The idea is to give a complete picture of the organization's security program and show the relationships between the areas. It is also can be used to communicate past, current and future states of maturity and progress across the three perspectives.
Raise your board presentation game.
Get the FREE RiSO Slide Deck and take your board presentation game to the next level.
The risk perspective is about gaining an understanding of two key things: 1) the amount of risk the organization has, and 2) the organization's ability to manage that risk.
Questions Boards Can Ask:
- Do we have a formal, established process for identifying and managing security issues?
- Reason/Concern: Cyber security is a complex and dynamic issue, that involves tracking hundreds and even thousands of issues at a time. If an organization does not have a solid process for continually uncovering and cataloging issues, things can slip through the cracks.
- Do we have a formal process for analyzing and calculating/quantifying the risk associated with issues?
- Reason/Concern: How an organization analyzes issues and calculates risk can have a big impact. If an organization misjudges risk (e.g. underestimates or overestimates) issues may not get the attention it needs.
- Where is our greatest risk?
- Reason/Concern: IT and security organizations have limited capacity, so resources should be focused on the issues that and areas that create the greatest amount of risk.
- How much risk do we have?
- Reason/Concern: If an organization is tracking and analyzing risk properly, they should be able to list describe, quantitatively, how much risk is associated with each issue/area.
- How well are we managing risk?
- Reason/Concern: Effective risk management requires organization effectively measure risk, make risk-informed, rational decisions, and execute those decisions. How well does the organization do each of these?
- Reason/Concern: Organizations that have not experienced a major loss event, due to random "luck", may confuse "luck" with effective risk management.
The strategy perspective is about 1) preparing for the future, 2) identifying the priority issues that the organization must focus on to shape the future.
Questions a board can ask:
- Do we have a cyber strategy (strategic plan)?
- Reason/concern: Operationally focused security leaders tend to be reactive, and focus on the threat/issue de jour. Ensuring the security program is able to anticipate and adapt to the future needs of the business is critical to managing tomorrow's risks.
- What are the top cybersecurity priorities, and the associated objectives?
- Reason/concern: It is important for an organization to identify the priority issues, that may not be urgent today, but if ignored, can lead to significant future risk.
- How will we achieve these objectives (strategies and action plans)?
- How are we doing against the plan and are we achieving our objectives?
The operations perspective is about maintaining efficient and effective security operations.
Questions Boards Should Ask:
- What security standards and frameworks do we use?
- Is our security compliant with our standards and policies, regulatory requirements, and contractual obligations?
- How do we measure our security efficacy (testing/audit)?
- What metrics does management monitor? Why were these selected?
- What are the most concerning gaps/issues that we have?
- How are we addressing these?
There are a number of governance challenges that clients face:
- Boards want/need to understand cyber risk
- Often lack domain experience/expertise are unsure what to ask for / what to look for
- IT / Security management uncertain about what to report (metrics, risk, etc.) - often provide technical operational metrics that lack business context
- Difficulty prioritizing issues
- Stakeholders confuse/conflate security, compliance, and risk
- Lack of cyber strategy: no formal plan and review process
- Inconsistent use of terminology
- Risk not adequately quantified
Our Goals For Addressing These Challenges
- Simplicity - make the model as simple as possible
- Provide a structure for conversations (and reporting) between boards and CIOs/CISOs about Cyber
- Draw clear lines between the types and levels of cyber management and reporting
- Accommodate existing security, compliance, and risk frameworks/standards
RiSO Reporting Framework by Apolonio R. Garcia III is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.