By: Sam Olyaei, Director Analyst at Gartner
Boards today are more informed and prepared to challenge the effectiveness of their companies’ security programs. They are having more complex and nuanced dialogues with security and risk management leaders, thanks to the need to achieve digital ambitions amid growing cybersecurity threats for remote teams.
Therefore, it’s highly unlikely that they will ask basic questions like: How secure are we? Why do we need more money for security, when we just approved X last year? What do you mean, we got hacked a hundred times? Rather, boards will be much more specific and precise in their probing.
Security and risk management leaders often struggle to respond to board questions that are shaped by media reports, which leads to a breakdown of trust between business leaders and technology leaders.
it's up to you to prepare responses that lead the discussion toward assurance, compliance and support for security practices. Beyond individual passions and concerns, boards collectively care about three things:
• Revenue/mission: operating or non-operating income and enhancing non-revenue mission objectives
• Cost: future cost avoidance and immediate decrease in operating expenses
• Risk: financial, market, regulatory compliance and security, innovation, brand and reputation
Board questions can be categorized into these five buckets.
The incident question
What it sounds like: How did this happen? I thought you had this under control? What went wrong?
Why it’s asked: These questions arise when an incident or event has occurred and the board either already knows about it or the chief information security officer (CISO) is informing them of it. This is particularly relevant now, when boards may be asking questions specific to securing the organization while large portions of employees are working from home. These questions could also come up in reference to any other incident, including data breaches that may have impacted the organization in general.
How to respond: An incident (regardless of category) is inevitable, so stick to the facts. Share what you know and what you are doing to find out anything you don’t yet know. In short, acknowledge the incident, provide details on business impact, outline weaknesses or gaps that need to be worked out, and provide a mitigation plan.
Be cautious not to endorse one option as the ultimate choice when in front of the board. The responsibility for oversight of security and risk remains with the security leader, but the accountability must always be defined at the board/executive level.
The trade-off question
What it sounds like: Are we 100% secure? Are you sure?
Why it’s asked: Questions like this often come from board members who don’t truly understand security and the impact to the business. It’s impossible to be 100% secure or protected. Your role is to identify the highest-risk areas and allocate finite resources toward managing them based on business appetite.
How to respond: Begin with something like: “Considering the ever-evolving nature of the threat landscape, it’s impossible to eliminate all sources of information risk. My role is to implement controls to manage the risk. As our business grows, we have to continually reassess how much risk is appropriate. Our goal is to build a sustainable program that balances the need to protect against the need to run our business.”
The landscape question
What it sounds like: How bad is it out there? What about what happened at X company? How are we doing compared to others?
Why it’s asked: Board members encounter threat reports, articles, blogs and regulatory pressure to understand risks. They will always ask about what others are doing, especially peer organizations. They want to know what the “weather” looks like and how they compare to others.
How to respond: Avoid guessing the root cause of a security issue at a different company by saying, “I don’t want to speculate on the incident at Company X until more information is available, but I’ll be happy to follow up with you when I know more.” Consider discussing a series of broader security responses such as identifying a similar weakness and how you are updating business continuity plans.
The risk question
What it sounds like: Do we know what our risks are? What keeps you up at night?
Why it’s asked: The board knows accepting risk is a choice (if they don’t, that’s a challenge you need to address). They want to know that the company’s risks are being handled, and you should be prepared to explain the organization’s risk tolerance so as to defend risk management decisions.
How to respond: Explain the business impact of risk management decisions and ensure that your positions are supported by evidence. The second part is vital, because boards make decisions based on the risk tolerance. Any risks above the tolerance threshold require a remedy to bring them within a safe area. That said, this doesn’t necessarily require dramatic changes in short periods of time, so beware of overreacting.
The board seeks assurances that you are adequately managing material risks, and that subtle, long-term approaches may be appropriate in some instances. Remember, the board is accountable for “enterprise” risk, of which cyber risk makes up a small, albeit important, part. Challenge yourself to be brief and to the point. A lack of control is not a risk, and neither is the next big threat. Focus on the big-ticket items that you control, such as loss of IP, regulation and third-party risk.
The performance question
What it sounds like: Are we appropriately allocating resources? Are we spending enough? Why are we spending so much?
Why it’s asked: The board wants reassurance that security and risk management leaders are not standing still and about metrics and ROI.
How to respond: Use a balanced scorecard approach that uses a simple traffic-light mechanism. The top layer should express business aspirations and the performance of the organization against those aspirations. As much as possible, explain aspirations in terms of business performance, not technology. Performance is underpinned by a series of security measurements that are evaluated using a set of objective criteria.