Benchmarking the Board Conversation on Cybersecurity
– One Year On….

Written by our inhouse editor, Lyndsay Turley, an experienced communicator and cybersecurity advocate. 

Last November Pulse conferences held its first Talk to the Board event, a unique opportunity to step outside of the Pulse 360 CISO/cybersecurity community and take stock of growing appreciation for the risks that our delegates manage daily.  The experience shared in the room demonstrated that while the conversation in the boardroom may have been early in its development, it was not focused on basic concepts.  It also challenged widely- held perceptions, providing a snap-shot of a journey that an increasing number from both sides of the conversation had begun.  Nearly one year on with approach of the next Security 360 – Talk to the Board conference, 7 November, we have been reviewing points made, setting a benchmark for marking how this conversation may have progressed.

Perhaps the most obvious observation shared underlined why members of corporate boards can be unresponsive to the proliferating demands for them to be more knowledgeable in cybersecurity.  Our panellists of four board directors, including people serving as non- executive and management board directors in four different sectors – advertising and public relations, publishing, retail hospitality, and aerospace— were all well versed in managing crises. They also reassured the room that they were very receptive to being told there is uncertainty, particularly during a crisis. Their expectation was to be informed, and to be able to rely on technical competence within the management team.  Their focus, straight forward:  “I need to understand your biggest fears about this breach, your next steps to investigate the scale of the problem, and what can be done about it.”

It was clear that responding to this expectation relied on relationships built around relevant and real context, not theoretical possibilities.  Our panel took pains to emphasise that this does not mean that everything must be expressed in terms of a return on investment. They were all actively seeking assurance that not just the risks, but also the impact on their business could be understood and addressed. The room was advised, for example, to expect questions aimed at the ability to ensure delivery of their proposals, confirming adequate consultation across the organisation.  This was a mandate that reached beyond the ongoing debate around an independent reporting line, and many advocated being within IT leaves the CISO better positioned to deliver against their aims. They were also advised to show vision, and project the total “ask“ for their programme, or the fit of a project within a programme, rather than focus on a discrete budget.

All of our board panellists also confirmed that their businesses—most of them long-established concerns—were in the midst of transformation in response to either globalisation and or disruptive competition, both underpinned by new technical capabilities. It’s a dynamic that is focusing attention around cyber risks right across the economy. The inherent challenges were illustrated in more detail at our subsequent CISO 360 Congress in June, where delegates agreed that the levels of change and complexity, meant they currently struggle to understand their role within companies that don’t themselves understand what they are doing. They rely on collaborative networks and discovery of the “undocumented business strategy” to gain visibility of what is driving risk.

Our board panel would have appreciated these insights. They recognised the risks as critical, and the landscape complex. Each shared experience that demonstrated different priorities, styles and overall levels of maturity in their treatment of cyber risk. There was no defined formula for success beyond advising the need to understand board aims, and assure conversations could be very personalised: “It should take work, time and effort to understand their point of view to understand what they are worried about.”

Our panel also admitted they could do more to progress the conversation by addressing gaps in communication, and clarifying accountability for their roles in setting culture, managing a crisis, and generally assuring adequate knowledge to assess strategic concern.  Notably, our panel pointed to our audience of over 70 cybersecurity leaders, as essential to helping them do that.

After several hours facing their questions, one panellist summed up a home truth for all in the room, and anyone looking to influence investment and support in a landscape of competing priorities. “There isn’t a secret pot of money for special things.”

This year, Talk to the Board becomes Security 360 – Talk to the Board, acknowledging the growing concerns over cyber physical risks coming from both our CISO and CSO 360 communities.  Download the Pulse Innovate Report CISO 360 Talk to the Board for a more detailed review of the developing corporate response to cyber risk, and come along on Thursday 7 November to play your role in progressing the debate. Register here www.talktotheboard.com. Attendance is complimentary if you are a senior CISO or practicing CxO working for a bank, corporate or government entity as opposed to being a provider or advisor to the security community.