What you should tell the board about cyber

You've been invited to brief the board on cybersecurity. I'm sure that your presentation is all set and ready to go, because the board members probably told you exactly what they wanted you to talk about. In case they didn't, the following is a perspective on a starting point for your first board discussion on cyber. Before you lean forward with a detailed list of enterprise vulnerabilities or a raft of scary stories about recent hackery targeting your industry, there are three things that the board probably needs to know about your company's cybersecurity that may not have figured in your thinking about things they might want to know.

Are we meeting our obligations for cybersecurity?

The things your company must do in cybersecurity include obeying any applicable cybersecurity laws, conforming with compliance frameworks like PCI (if required) and meeting cybersecurity-related contractual obligations to customers and clients. If you are unsure what your organization's specific obligations are, then now is the time to consult with attorneys, compliance experts, and other subject matter resources to develop your understanding of this issue.

Preparing to help the board understand the answer to this question also helps cybersecurity leaders understand key requirements of their cybersecurity program (e.g., metrics they need to track, controls they need to deploy, underlying policies and procedures they need to create, etc.). For example, consider HIPAA compliance. The section of federal regulations that implements HIPAA has a list of rules with which organizations must comply (e.g., you must encrypt protected health information). In order to do this, you need know where the protected health information resides in your environment, and you must have some way of controlling how it’s stored and processed. To do this, you must have a set of policies and standards backed by administrative and technical controls and an auditing function that monitors internal compliance. Each of these layers of complexity has an associated dashboard showing associated metrics. If we zoom back out to the board level, the board's view would enumerate each enterprise cybersecurity obligation and tie it to one or more data points providing supporting evidence describing how the enterprise is meeting those obligations. 

While other advisers to the board may be able to tell parts of the story, the board's cybersecurity adviser (you) will likely be most qualified to synthesize a complete picture of how and if the company is meeting its cybersecurity obligations.

Are we exercising “due care” in cybersecurity?

This is an area in which the board will be most dependent on your expertise as a cybersecurity professional, since it is not a question that can be answered definitively. Your perspective should include consideration of supporting areas such as the relative maturity of your cybersecurity program versus peers (e.g., relative spend levels, relative headcount levels, similarities in technology usage, etc.), whether an independent outsider would conclude that cybersecurity programs are sufficient for the level of risk, and whether there exists cyber risk that could be considered unreasonable for your industry and business environment.

If you have reached the rarefied stratum of professionals who interact regularly with their companies' boards of directors, then you likely have a well-developed point of view to offer on this matter based on your previous experience. But, a fact-base reinforced by outside opinion is needed to sustain your credibility. To support messaging on this topic, ensure that you can offer recent bench-marked assessments of your cybersecurity program's maturity, results from recent cybersecurity tests and simulations, and a thorough and updated cyber risk assessment of your company's operations.

Also, keep in mind that the board has a duty of care regarding company operations that continues throughout the year. As such, you may find yourself in a situation where you possess cybersecurity-related information that the board needs to know outside the scope of a regularly scheduled meeting or presentation. While the details of when and how security breaches are reported must be decided by company leaders at the highest level, recent unfortunate events at Uber should serve as a lesson in what not to do. If you're expected to advise on the topic of due care in cybersecurity, ensure you meet this expectation continuously.

Have we taken steps to minimize losses in the event of a breach? 

By now, the sentiment that the world is divided into those companies that have been breached and other companies that just don't know that they've been breached has become cliche to most cybersecurity professionals. This means that presentations to senior leaders that focus solely on prevention are no longer relevant. Board members need to understand what they should expect when a breach inevitably occurs and what measures are in place to minimize loss. Key issues underlying this question include the existence and limitations of a breach insurance policy, the organization's understanding and proficiency at deploying its breach response plan, and options for recourse in breaches that result from interactions with third parties (e.g., we were breached because our CSP didn’t exercise due care).

Breach insurance likely won't make your company financially whole in the event of a breach, but it will soften the blow for investigation and cleanup costs. If your company has breach insurance, then it likely includes language circumscribing the instances when the policy can be used. The board needs to understand these limitations. Similarly, a general understanding of service levels and guarantees expected from third parties (e.g., vendors, service providers, etc.) in the event of a breach involving your company's data should be developed also. This issue is becoming increasingly important as more companies are trusting their data to cloud service providers.

Board-level response planning should encompass issues that are much broader than the typical cybersecurity incident response plan. Additional considerations include when and how to engage the legal team, when and how to engage government and law enforcement representatives and regulators, and when and how to communicate with customers or clients. Plans once made should then be exercised regularly, and exercise scenarios should engage all portions of the plan, including interactions with the board. While participation in breach response exercises may not build deep cyber expertise within the board, it will inform their perspective about what they should expect when a breach occurs.

Why these issues?

If you're thinking that these questions are a bit "fluffy," consider the complexity of the data required to answer them thoroughly. Rolling all of this insight into three easily understood high-level buckets abstracts this complexity, so board members don't get lost in the weeds. The questions also speak to the core of board members' worries in cyber- the unknown unknowns that can result in significant unexpected losses to the enterprise. As a bonus, you'll have the underlying facts available to provide additional context on any issue for which board members might want more detail.

Hopefully, your presentation will be well-received. Just remember to think of yourself as a trusted adviser on risks to the business and not merely as a technology professional, and you'll be speaking the board's language in no time!