When the barbarians are at the gates, neither casual conversations nor polite protocols can do organizations much good.

As businesses become more digitally empowered due to the shift to remote work and cloud migration, cyberthreats are finding more ways to breach defenses, increasing the risk to business operations and the bottom line.

From loss of revenue and intellectual property to legal liability and reputational damage, topped by the cost of recovery, boards of directors and CISOs bear responsibilities for appropriate oversight of the risks associated with a breach.  

But if there’s no buy-in from the board, or if the board doesn’t understand fully the impact of cyber risks on the organization, or there’s no agreement on how to address the issues – we may end up with what the Chinese call “a chicken-and-duck conversation”.

It all starts with the right culture. And the right culture is built on clear communications and right relationships.

CybersecAsia talked to cybersecurity expert Alex Tilley, Head of Threat Intelligence, Asia Pacific and Japan, Secureworks, about what CISOs and cybersecurity teams can do to bridge the critical gaps that may exist among board members and C-suite executives.

How does the security culture of an organization impact business outcomes? 

Tilley: Security culture in an organization boils down to protecting the organization and its interests in a pretty hostile environment (the Internet).

An organization with a mature, well-considered and nurtured overarching security culture is much better positioned to detect and defend against attacks that may be technical or human nature, such as Business Email Compromise (BEC) attacks.

With the rise and rise of ransomware, it must be noted that an organization’s security culture will help defend the organization from what really is an existential threat from well-resourced, experienced and motivated attackers.

All staff need to feel confident working together and “doing their bit” to secure their organization and ensure it thrives!

Boards look to CISOs to execute due diligence and to help them understand the risks to the business. CISOs want buy-in from the board to invest in the most appropriate protection to manage those risks. How has the relationship between CISOs and boards evolved in recent years, and what are some key challenges?  

Tilley: Boards have become increasingly aware of breaches and other attacks on businesses making the news. The board has goals around growth and looks to minimize risk, as these stories of misfortune in other organizations continue to come through the pressure on the CISO from the board to help them understand their exposure.

Their risk is massively increasing as boards continue to seek understanding and, in some cases, assurance that the direction the business is taking regarding security is correct or on par with their peer organizations.

This interest from the board can cause some CISOs who aren’t ready for it to not communicate their needs and risks clearly in a way the board can understand and use to make informed decisions so both company boards and CISOs are learning how to communicate with each other at a time when “the barbarians are at the gates”, which can make for some quite heated discussions as both try to understand the other in a high-pressure environment/situation.

Alex Tilley, Head of Threat Intelligence, Asia Pacific and Japan, Secureworks

What are some steps CISOs should take to build a tenable relationship with the board? 

Tilley: Taking time to do business-wide crisis management exercises is an excellent way to build trust with other business units.

Reporting on the outcomes of such an exercise will help the CISO understand “how” the board wants to receive the information and any gaps between the expectation and reality of such reporting and questioning.

Doing such exercises at a time when an organization is not in crisis is critical as it helps everyone understand the roles and responsibilities, which means that when there is a high-pressure environment, the board will have confidence that the CISO has the correct connections across all business units (not just the tech stream) and has the proven ability to produce meaningful reports on complicated topics and inform the decision-making process that the board must undertake clearly and with authority but not arrogance.

Regular briefing slots at board meetings also help to massively increase trust and relationships across the ELT and board while setting metrics and reporting back on the progress of initiatives helps the board to see that the organization is “moving in the right direction” (as far as security controls/posture is concerned) month-to-month and quarter-to-quarter.

Regular metric-based briefings also help identify areas that may need more attention or explanation to maintain that relationship and have the CISO seen as the “trusted advisor” they should be seen as.

How have successful organizations implemented a cybersecurity reporting process?  

Tilley: For progression monitoring, it is metrics metrics metrics! But realistic, explainable, meaningful metrics. Things that matter to show the organization is progressing in their security journey.

A good path is to meet with the board with ideas (and reasons) of what the CISO feels are good metrics based on pain points or progression requirements. These metrics can be altered or further explained and then (crucially) agreed upon with the board and presented at future meetings to show the trends and progression.

Breach reporting is another area that needs to be addressed, again working with the board before a breach event to help them understand the types of things to expect to be told, agree on acceptable/understandable terms and include other business units to show their inputs into the breach detection, notification and response process.

Please share some tips for establishing the CISO’s role as a trusted and credible leader.

Tilley: The CISO needs to work to understand the following:

    1. What the board needs to hear
    2. What sort of language do they need to use?
    3. What is extraneous detail?
    4. What is jargon?
    5. How to meaningfully collect and then present critical information
    6. Understanding that the board will ask pointed questions out of left field often and to have answers
    7. Practice their delivery with someone NOT from a technical area to make sure they are using clear non-tech language
    8. Show the board they are willing and happy to engage other business units outside of IT
    9. Understand they “may not always get things their way” but to reassess their messaging to ensure they have outlined the needs clearly.
    10. (Biggest one) Return visits to future board meetings to show progression and openly answer questions and potential criticisms

The board wants to see things moving forward and that the risks are being addressed. CISOs need to help them understand this, and then they will have confidence in the CISO’s abilities!