How to get the most out of your CISO at your next board meeting

March 15, 2019

CISO board meeting blog post header image

Not that long ago, a company’s board of directors would meet once a year to be briefed on cybersecurity. The discussion would be brief, and it certainly wouldn’t be strategic.

Today, things have changed.

Boards not only have a responsibility to protect shareholder value (by protecting company assets held digitally), but there are also regulatory and personal liabilities that could come from a data breach. Whatsmore, transparency in cybersecurity is now demanded - not only by shareholders, but also by customer and partners.

High profile examples, include Uber’s $148m fine, or the disruption to business continuity that comes from a CEO being forced to resign in the wake of an incident. This means today’s boards must take a closer interest in the efforts of the company to secure itself, and in its preparedness in the event of a crisis.

So how should you be thinking about cybersecurity in your next board meeting, and what should you expect from the company’s CISO (Chief Information Security Officer).

1. Know the risks

Ensure that you talk about cybersecurity in context to the different risks that face the business.

  • Regulation: Is the business meeting its regulatory requirements for security?
  • Fiduciary: Is the business able to protect the interests of its shareholders and other stakeholders (including customers)?
  • Company Liability: If things go wrong, how will it impact the business (either through business performance or industry fines).
  • Personal Liability: If things go wrong, how does it impact the position of key individuals within the business (including the CEO and board)?

2. Accept that nothing is guaranteed

The CISO is not there to tell you that everything is going to be fine. As a board, it’s important to understand that you can never completely mitigate risk, so build trust with your CISO and let them talk openly.

You should instead be focused on ensuring best practice measures have been applied across the business in a way that mitigates risk as best as possible within the CISO’s mandate. This may extend to the selection of key technology vendors that meet your changing business requirements (for example how employees are communicating and sharing files securely) , through to employee policies and training exercises.

3. Think about business continuity

No one is immune from the threat of a cyberattack, regardless of how many preventative measures are put in place. Therefore, it’s equally important to understand how the business will react in the event of an incident.

In fact, how the business – including the board – manage and respond to a crisis is often the key factor in determining its outcome.

Talk to the CISO to understand how business continuity will be guarenteed, particularly if the corporate network is unavailable and day-to-day operations disrupted. Understand roles and responsibilities (including your own), how key stakeholders (such as institutional investors and the press) will be managed, and even the tools that key personnel should be using to securely communicate with in the event that corporate communication services such as email are unavailable.

4. Know your metrics

There are really only two key categories of metrics you need to be focused on. Operational metrics, and compliance metrics.

Make sure that these are clearly broken out and understood by the board, and that you agree on a reporting system with the CISO so that you can accurately track progress.

Operational metrics: These will cover the day-to-day operations and threat prevention activities of the CISO’s organization. They are there to show that the business is actively invested in deploying the tools and policies needed to prevent, or manage an incident.

Compliance metrics: It’s likely that the business undertakes regular compliance and auditing, typically through third-parties (for example ISO 27001 compliance). Often, achieving (and maintaining) compliance has significant commercial implications, and it’s vital that the board understands how any outstanding risks are being managed.

5. Ensure the conversation is business driven

The language of the boardroom might be unfamiliar to many CISOs, so work with them to ensure that presentations cut the jargon and focus on business impacts and outcomes.

Keep the CISO focused by asking them to align their reporting to business goals, and ensure that any metrics that you are tracking contribute to your overall business KPIs. Help them to translate risk, as they see it, into business risks that the rest of the board can appreciate (customer churn, loss of profit, decreased market capitalization etc).

Finally, make sure that every session concludes with clear outcomes and actions.

Taking an active role in understanding cybersecurity is quickly becoming a prerequisite for today’s board members.

By working with your CISO, and understanding not only how the business is deploying preventative measures, but also how it responds to incidents, you can help to embed a culture of security across the board where security and risk management becomes part of every business decision.

About Wire Red:

Wire Red is the most trusted, secure end-to-end encrypted communication and collaboration tool available, and the perfect choice for businesses looking to ensure business continuity in the event of disruption. It comes with everything your organization needs for crisis communication and recovery. Alert your whole team, track availability, broadcast updates to smaller groups — or to the entire company.

It’s pre-provisioned, always ready to ensure business readiness and recovery, and available on both mobile and desktop devices. Messaging, conference calls, video conferences, and file sharing are just the start. Wire Red can be extended with custom integrations and bot-services, all hosted by Wire so your network downtime doesn’t affect availability.

Contact us to plan and launch a 30-day Proof of Concept with the support of our experts.

Back to all posts