In March 2022, the U.S. Securities and Exchange Commission (SEC) issued a proposed rule, the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, that, if adopted, would require companies to disclose their cybersecurity governance capabilities and the role of the board concerning oversight of cyber risk.
In Part Two of this series (please read Part One here), we will contain actionable information CISOs can use to not only prepare members of the board for the new SEC regulation but how to explain the role of cybersecurity in terms non-technical board members can understand.
Preparing for the New Regulation
What key drivers should CISOs keep in mind when working with their boards to comply with this new rule?
The SEC proposal is a legal issue, so bringing in an organization's General Counsel is vital to not only sound the alarm about the new regulation but to advise on any and all SEC and fiduciary responsibilities that will come into play.
A CISO should remain a team player and prepare to work with the board members rather than simply ringing the alarm bell and walking away. Instead, bring a pragmatic viewpoint on balancing priorities, solving the immediate challenge, and laying the blueprint for near/mid-term compliance.
Additionally, the CISO should come to the boardroom with recommendations that will ensure budgets allocated to cybersecurity risk are properly aligned to mitigate the potential impact of any incidents effectively.
Finally, a CISO must understand that individual board members come from different places in their understanding of cyber and their technical acumen. To do so, a CISO must adjust key messages and develop a common language to avoid speaking past them or simply not being heard.
When all of these actions are taken together and completed, it will likely lead to the construction of a proper relationship with the board members, resulting in regular, individual interactions rather than relying solely on boardroom presentations.
What Exactly Are We Talking About? OR How to Develop a Common Language With Your Board
CISOs often struggle to communicate the value of their cybersecurity investments in a language the board understands. There are very understandable reasons why this happens and a few steps any CISO can take to ensure their words make sense to the board.
Many CISOs have moved up through the ranks from IT roles and have grown accustomed to speaking primarily in technical terms that tend to emphasize "speeds and feeds."
CISOs must hold all conversations in language the board understands, which isn't about technology or speeds and feeds. Instead, the conversation needs to center around risk and the pragmatic steps the CISO is taking to reduce or mitigate risk today, how they plan to further reduce or mitigate risk in the future, and how they plan to optimize their investment pool across talent, technology, process, and their partner ecosystem for the best possible security outcomes.
The average board member understands topics like protecting brand and corporate reputation, avoiding business disruption, and the cost of downtime.
From the board's perspective, cybersecurity is a business issue for which technology, process, and talent are the answer. A board should be, and many are, thinking about cybersecurity in terms of risk – risk of brand and reputational damage, risk of business disruption, risk of client impact, risk of regulatory fines and penalties – and in terms of risk mitigation. A board also must determine what its risk appetite is and what expense it's willing to incur to protect itself.
Just as with other business challenges, addressing risk requires adequate planning and preparation. This preparation includes:
- Optimizing your investment pool to reach desired outcomes across technology, process, people, and partners
- Continued pressure testing of key assumptions
- Stakeholder alignment and engagement
- The ability to adjust plans as the environment changes or when new information is discovered.
Another key point the board must understand is that an organization that merely maintains the status quo from a cyber perspective creates additional risk and exposure. The modern adversary continuously upgrades its capabilities, so constant evolution in cybersecurity is non-negotiable. Part of this conversation should include informing the board how the business can become more cyber resilient and determining where to place funding to gain the maximum impact to achieve this goal.
The CISO should also build the board's confidence in the organization's ability to quickly recover from a cyber incident by explaining the incident recovery plan.
Finally, because ultimately, data is what the bad guys are primarily after, understanding where the organization's data resides, how it is protected, and how it is retained or purged is increasingly in the domain of the CISO and shared with the CIO and other parts of the business. The board does not need to understand the technicalities of data policies, but they should have a purview into how the organization is protecting (or backburning) its data.
How CISOs Provide Bottom-Line Value
The CISOs role has changed dramatically over the last few years, and at the same time, the expectations placed on the CISO have never been higher. As a result, CISOs need to think about ROI, value creation, and value protection.
CISOs can provide this very necessary information by explaining how organizations don't have to invest in all of the people and process independently; they can invest instead in cybersecurity partners who do this type of work all day every day. Let another organization provide:
- The right talent and expertise.
- Bringing gold standard configurations and rules or policies borne of experience.
- Bringing the collective intelligence of doing the work across hundreds of organizations worldwide.
The end result of such a move can be improved security outcomes, lower risk, lower staff burnout and turnover, and the right mix of talent to deliver better ROI on the totality of the security investment.
The same can be said for organizations that opt to keep their security in-house. There has been and will continue to be a proliferation of cyber technology that organizations will invest in; however, for various reasons, many organizations fail to realize the full value of their investments.
These organizations spend money on the technology itself with less thought given to extracting expected value from the new bright and shiny tool or solution. What is often missing from the conversation is what talent do I need, where do I find it, and how best should I architect my processes to extract the value.
In conclusion, the best advice is for an organization to find a trustworthy partner to help you future-proof your business while maximizing your security investments.