teissTalk: Persuading the board to sign off on your cyber-security strategy

teissTalk host Jenny Radcliffe was joined by Graydon McKee, Senior Director, Cybersecurity Engineering, Visa; Tony Giannino, Vice President, Technology Risk Asset Management Division, Goldman Sachs; and Zeeshan Kazmi, CISOCIO, Zygotek Inc. as lead guest.

 

 

Views on news

 

A new report shows that while communication with the board is improving at many organizations, CISOs still struggle to obtain cybersecurity investments. Communicating cyber risk to C-suite executives is clearly improving with only 4 percent of executives saying that they don’t discuss cybersecurity in the boardroom. However, 12 per cent of C-suite executives still only discuss cybersecurity when a breach occurs.

 

The attitudes a new CISO should adopt

 

The key to effective communication with the Board seems to be presenting cyber risk reduction as another business deliverable and thus conveying the importance of cybersecurity in terms familiar for top executives. CISOs should also make sure that they point out not only risks but also opportunities and top line growth potentials related to cyber controls.

 

The CEO and the CFO should already be sold the cyber security investments by the time they enter the boardroom and it’s incumbent on the three of them to get the buy-in of the rest of the board.

 

While CISOs in financial management and tech companies have plenty of opportunities to prime the CEO and CFO, in health – the sector the article focuses on – as well as in education, access to them is not that straightforward and therefore it’s more difficult for CISOs to tie their presentations to the priorities and concerns of board members (loss of revenue, regulatory environment). 

 

Also, cyber security should rebrand itself in order not to be seen as “the department of slow and no” anymore.

 

Rather than being a cost centre, cyber security should have a conversation with other departments as to how security could become a selling point or a differentiator for them. Cyber security professionals should think more in terms of probability now and understand that there are certain cyber risks that a company can and has to live with.

 

The panel’s advice

 

When asking money for controls from the Board, you should also demonstrate that you’re using the money judiciously.

 

Point out how much a worst-case scenario could cost for the company aligning your numbers to historic costs of previous breaches.

 

CISOs should talk more about business continuity – the business process layer of security controls.

 

Security controls are a subset of business controls, and the two should be seen as complementary. Some business controls, for example, can make up for slight weaknesses in security controls.

 

The CISO always has to walk into the boardroom as a team not as an individual. “Gather your allies before going to battle!”

 

Watch it on-demand here.