Driving the Business
The top speed of a Model S Tesla is 155 miles per hour, which can be reached in approximately 29 seconds. It’s one of the fastest cars in the world, with one of the most powerful sets of brakes on the market.
“Tesla has a set of brakes on that car that are so oversized and overpowered, that they can stop the car cold even if the engine malfunctions and spikes at full throttle,” says Ryan LaSalle, security growth and strategy lead at Accenture. “The only reason you have a car that goes that fast is because you have a set of brakes that can control it. To be able to corner at speed, you need good controls. That’s supposed to be the partnership between security and innovation.”
The challenge for many companies, though, is how to develop this partnership so when the CEO goes to the board, he or she is effectively communicating what the cyber risks are to the business and how they are being addressed—ensuring that security is enabling the business to drive smoothly, and safely, towards its goals.
According to the National Association of Corporate Directors (NACD), only 15 percent of boards are satisfied with the information they are getting from executives on cyber risk management. This could be because many CEOs only recently began discussing cybersecurity regularly with their boards—within the last two years—and were initially unprepared for these important conversations.
To prepare for these conversations, CEOs turned to their CISOs or vice presidents of information security, but many of those experts struggled to explain cybersecurity in a way that the CEO could understand.
“Most security professionals have a hard time articulating and conveying not only risk, but also the benefit of what they are doing,” LaSalle says. “And if they continue to have a hard time articulating that, they will struggle to be relevant and be part of the strategic plan of the business.”
Matt Appler is now the CEO of Corsec Security Inc., which assists companies with security certification and validation processes, but he once was a software developer. When it came to learning how to communicate with executives about cybersecurity, Appler says it was not an easy process.
“Unfortunately, it was mostly through the school of hard knocks and finding ways to talk about security given that it’s already a subject that’s highly technical, which by its nature makes it extremely difficult to communicate with others about,” he explains.
The other aspect that made communicating to executives about cybersecurity difficult is that security is not an absolute. Appler compares it to the risks of getting in a car with airbags, seatbelts, and back-up cameras.
“But ultimately, you’re going to choose how you operate that car, how fast you drive…you’re making choices based on your perception of risk around you,” he says. “But all of us understand that we could be in an automobile accident. The same is true in information security. It’s not an absolute…the only way to eliminate the risk is to not get in the car.”
Focusing on risk and why that risk matters is the key to communicating with executives—and boards—about cybersecurity, Appler adds.
“I found very early on that it was more effective to explain why you would care about protecting information—why that would matter—than about the technology,” he says.
For instance, during the summer of 2017 the WannaCrypt ransomware attack hit companies that were running old or out-of-date operating systems, or unpatched systems. When companies were asked why they had not upgraded their systems, Appler says, many said they hadn’t taken action because it was too expensive.
“But when they suffered the problem, they were unable to provide service for potentially days. They took a financial hit, a brand hit, and a reputational hit,” Appler says. “I would question whether they truly understood what risk they were taking by not upgrading.”
To clearly communicate that risk, Appler says that CISOs should avoid reverting to “scary stories” to make boards fearfully invest in security. Instead, they should focus on quantifying risk in terms of dollars to allow the board and CEO to evaluate what they would pay to mitigate risk.
“There are many things you can do to mitigate that risk, but at the end of the day they are going to have a cost and the return is likely risk mitigation—not features or benefits directly to your company,” Appler adds.
LaSalle echoes these sentiments and says that CISOs need to prepare their CEOs about the risks the business is taking on in terms of cybersecurity, what needs to be done to address that risk before creating greater exposure, the potential costs of not taking action, and how addressing risks helps the business achieve its goals.
“That’s where, at the board level, when you’re telling stories around the biggest threats to what the business is trying to do, you’re using the language of business—not the language of hackers—when you talk about threats,” LaSalle says, “when you’re trying to talk about programs you have in place and how effective they are at managing those risks.”
For instance, a client that LaSalle works with put this into practice a few years ago just before the Sony hack occurred. The client had recognized through a threat intelligence function that destructive malware was one of the biggest threats to the business’s operational resiliency.
The client went through a process to examine how a destructive worm would impact the business. It then changed its investment portfolio, implemented a solution to create more operational resiliency and increase its defenses, and then briefed its board.
The client, LaSalle explains, told the board that it was tracking destructive malware because of the risk it posed to the business and explained how it was mitigating that risk. It also described past failures to mitigate that risk and the market indicators it was tracking that could change its perception of its readiness to handle the risk.
A few quarters later, during the Sony attack, the client went back to the board. The briefing included details on how IT would repel a similar attack, why those actions would be warranted, and what new threats were looming.
“That’s the kind of example I use to explain this because it had a tremendous business impact,” LaSalle says. “It demonstrates the effectiveness of the investment, and it provides clarity from a risk perspective, to a bunch of business owners who aren’t really worried about what the vulnerability is or how it propagates—but they are very worried about the business outcome.”
Taking this approach of regularly briefing the board and providing benchmarks of where the business is in addressing cyber risks is a best practice approach, says Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams LLP and former chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.
“Some of our clients are appearing before the board on a routine basis and using benchmarking as a way of showing where the company is today as compared with others in their industry sector, and then also showing benchmarking as compared with a point in time—say today versus where the company is two or three months from now,” she explains. “Benchmarking is very helpful in putting the evolution of the cybersecurity program into context.”
Having this regular dialogue helps build a base of understanding for board members and educates them on the company’s cybersecurity strategy. “The board wants to hear the overall strategy, but they are also going to want to hear about some of the more granular testing, like penetration tests and the results, risk analysis, data flow mapping exercises,” Sotto adds. “High level is very good, but with details waiting in the wings in case board members are interested in going into more detail.”
This is likely to happen as boards become increasingly interested in cybersecurity and more knowledgeable on the topic. They may also be required to become more knowledgable under new regulations or legislation making its way through the U.S. Congress.
For instance, U.S. Senators Mark Warner (D-VA), Jack Reed (D-RI), and Susan Collins (R-ME) introduced legislation, the Cybersecurity Disclosure Act (S. 536), that would require publicly traded companies to include information on whether any member of the company’s board of directors is a cybersecurity expert in their Securities and Exchange Commission disclosures to investors. If a company has no cybersecurity experts, it would be required to explain why a greater level of expertise was unnecessary.
“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process,” Senator Reed explained in a statement. “Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber risk oversight.”
S. 536 has been introduced and referred to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, but has not advanced.
“The bill alone is interesting, and, even if the bill doesn’t pass, more efforts like this could have the effect of incentivizing boards to look for cyber savvy directors,” Sotto says.
And while many companies are struggling with connecting cybersecurity to the mission of the business and articulating the risks associated with it, CEOs are beginning to track the issue and invest in it.
“If we continue to improve and unlock more of the stories and the business value of what security is doing for the business, I think the population of [cyber-focused] CEOs will grow,” LaSalle says. “I don’t know if they will ever be the majority, but I do think that it will be a best practice for a CEO in five years to be not just interested and involved in the security of their organization, but really committed to it.”