teissTalk: How do you demonstrate effective cyber resilience to the board?

On 22 June, teissTalk host Thom Langford was joined by Leo Cunningham, CISO, Owkin; and Ifedayo Osideinde, Chief Information Security Officer, AXA.

 

Views on news

 

Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. And by not focusing on resilience, boards fail their companies. Unfortunately, this growing awareness of cyber risk is not driving better preparedness. Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs), and Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. Often, CEOs don’t have the attention span to listen to the concerns and reports of CISOs. When talking to CEOs, CISOs need to translate cyber risk into potential revenue loss. Alongside charts, stories told by CISOs can make the highest impact. Although risks can’t be completely eradicated, the business has to be confident that it can cope with an attack when it happens and can quickly bounce back.

 

How cyber resilience can make business continuity more robust

 

Cyber resilience, in practical terms, is about continuous stress testing. It is also the knowledge that a company can bounce back quickly if it’s attacked. Everyone in the company has to know what part they will play if an attack occurs. Part of the preparation is to ensure that people on the board are comfortable to talk to the press, ad so is general psychological preparedness and emotional intelligence , as CEOs will need to wear at least 5 hats during the incident and talk to the public about security, data privacy and other aspects of the attack. The risk committee, if there is one, should contact the right people in the company for different types of risks, e.g., marketing for reputational damage. The risk committee will want to know if the CISO has engaged with all stakeholders when assessing risks. CISOs need to point out to the board that even if cybersecurity doesn’t add monetary value to the business on the face of it, it does create value and isn’t only a cost centre. The boards, however, are most receptive to regulatory value, and CISOs can also leverage the findings of previous audits or quote how insurance premiums the business pays will shoot through the roof unless certain controls are put in place. Also, CEOs seem to have already understood the importance of business continuity and now have to be alerted to how continuity goes hand-in-hand with resilience.

 

The panel’s advice

 

CISOs need to have a good understanding of the business, which also involves reading Annual Reports and being familiar with KPIs.

 

Establish which company assets need what level of protection.

 

Resilience is about making cyber threat manageable and less overwhelming.

 

As a CISO, you need to be constantly in the board space and remind them of the vulnerabilities and what they must look out for. They will appreciate your help as they have so many different things to focus on while managing the company.

 

Don’t be scared of the board, reach out to them.