Preparing for a Boardroom Discussion - Expect the Expected
April 08, 2015
One of the roles of the Office of the CISO for Accuvant and FishNet Security is to inform and provide practical guidance about information security risk management. On most days, the individuals with whom we interact are information security practitioners and other IT leaders. Increasingly, the topic of our discussions has been how to prepare for an audit committee or board-level meeting.
While it is not a substitute for direct advice from your colleagues, especially those who have presented to their boards, one of the simplest things you can do to prepare for a board-level discussion is to read the cyber-risk guidance provided by the National Association of Corporate Directors (NACD). If you are not familiar with this organization, the NACD is an independent, not-for-profit whose mission is to deliver insights and resources to enable its more than 15,000 members to effectively address complex business challenges such as cyber-risk. In addition to research, the NACD provides director education programs and national peer exchange forums to promote director professionalism, ultimately enhancing the economic sustainability of the enterprise and bolstering stakeholder confidence.
The Cyber-Risk Oversight Handbook, a 25-page document prepared in collaboration with NACD, AIG, the Internet Security Alliance and security thought leaders, is a basic ‘how-to manual’ for preparing for an executive or board-level conversation. This guidance defines five key principles that serve as a starting point for conversations to enable board members to better perform their role in providing effective guidance (oversight). This document is a basic roadmap that will help a board member assess whether an organization’s cybersecurity strategy is appropriately managed given the strategic mission and the realities of the business ecosystem in which it operates.
The five principles are:
- Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
At face value, these principles seem simple enough. Therefore, implementing an information security program and being prepared to address the board should be relatively easy, right? Let us say this with great gusto and in all caps: NOT SO FAST. The NACD cyber-risk guidance along with the other articles and material referenced on their website requires heavy lifting. To address these principles the security leader will need to work collaboratively with key stakeholders in the organization as well as establish a strategy that identifies the crown jewels; and it must be appropriate given the risk appetite of the organization. We have read this document numerous times and each time seem to learn something new about what a board member might expect to discuss.
As part of doing your research, before you go into a board meeting you should also have a full understanding of the below questions.
- Who is the audience?
- Who might be influencing the board and their questions?
- What frameworks are we following and what does it matter to the board?
- What are leading practices for cyber security, and where do our practices differ?
- How do I establish myself as the board’s go-to expert?
To be blunt, preparing for a board-level discussion is not like studying at the last minute for a mid-term or even final exam.
In closing, it is not uncommon for companies to seek board members who have experience with information risk and security. We know several companies where board members include the CEO of an insurance company, the CEO of an information security company and a former CISO. If you have not already read the guidance, we highly recommend you take the time to do so. If you have read the guidance, and you believe that you can address the sample questions posed above, congratulations! If you think you might have some more work to do in order to prepare for a board-level discussion, we suggest starting now.