teissTalk: How to answer when your board asks, “Are we secure?”

On 16 March, teissTalk host Thom Langford was joined by Ali Dehghantanha, Canada Research Chair in Cybersecurity & Threat Intelligence, University of Guelph; Dan Card, Global Chief Information Security Officer, Universal Exports UK Division; Nuno Teodoro, Cyber Security and Privacy Officer/CISO, Huawei.
.
Views on news

On March 2, 2023, the Biden administration announced its National Cybersecurity Strategy. The administration’s stated goals for the strategy are “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

 

 According to the Strategy, technology is critical infrastructure and private enterprises are a critical dependency for national security. Although the new strategy is extremely relevant, it seems to be somewhat belated and may not have a far-reaching impact. There is a huge gap between how we talk about cybersecurity and what it looks like on the ground. What’s challenging is establishing the minimum requirement for cybersecurity in a rapidly changing landscape and complex organisations such as the NHS. Because of this diversity, often 90 per cent of the vulnerabilities that a company is mandated to defend against are not relevant to its security posture. On top of that, in regions such as the EU, regulation fatigue is also a growing problem.

 

The new US Strategy states vendors are now liable if the software they produce is vulnerable. However, this move may only lead to never ending legal battles rather than solve any problems. Also, with all the APIs, different platforms and open-source code, it’s not straightforward to establish whether some software is secure or not. Currently, about 90% of organisations don’t even have a baseline level of cybersecurity (Maturity Model Level 1).

Boards are increasingly adopting a risk perspective

Boards are getting more mature too from a cybersecurity perspective, therefore the question “are we safe?” can be heard less often nowadays with its focus shifting to regulatory compliance and certifications or contractual requirements without any intentions to go deeper into technicalities.

 

Therefore, the answer to this question largely depends on the culture of the company and its board’s understanding of cyber risk. Having said that, there are sectors where the “Are we secure?” question can be heard more often, such as retail. So, the answer should be based on the company’s security budget or the controls that they’ve already got in place. You can also get the board qualify the question – are we safe from whom or what type of risk? Over what time period? CISOs should also make sure they flag up the most important issues for the C-suite. Another problem is that the board often accepts risk but is putting off allocating money for managing it.

 

Sometimes cyber risk is not even on the company’s risk register, and it falls on CTOs and CISOs to make the board aware of it. It’s also key to win over the board to show them some metrics such as how many deals the company has won thanks to meeting assurance and contractor requirements or how many new markets it could enter.

 

The three areas that lend themselves most readily to a conversation with the board are regulatory compliance, legal and contractual requirements and how to enable the board’s mission critical objectives. However, to keep the attention of the board, you need to talk about how cybersecurity can drive business value too, i.e., how it can improve employee productivity or customer trust. 

 

The panel’s advice

How you answer the question “Are we secure?” Is a communication issue, where security professionals need to make sure that the board is given the right amount of information to make good decisions. 

If you get this question, the first thing you should do is reframe it.

Translate what you want to say to the board into the language of financial loss, which they’ll understand.