I'm old enough to remember the days when cyber security pretty much referred to an Arnold Schwarzenegger movie (Terminator anyone?). But reminding myself that boards must focus on risk prevention and management as part of their fiduciary duty moves to begin the conversation about cyber security governance. Hence I must share the following CIO article.
Do boards understand their new role in cybersecurity?
Julie Ragland was CIO of vehicle manufacturing company Navistar, and has held IT leadership roles at Adient and Johnson Controls. To Ragland, who also sits on several state agency and non-profit boards, one of the greatest responsibilities for today’s boards is in governing cyber security risk. And while board members are generally tuned in to the importance of cyber governance, they don’t always understand the true risks with cyber and their own governing role.
“Most boards fall into the trap of thinking that cybersecurity is a technical issue, and focus too much on technical protections and whether the right tools are in place to protect the organization,” she says. “But we know that more than 90% of cybersecurity incidents start with human behavior error. Cyber incidents are as much a communications and legal challenge as they are a technical challenge, so when boards focus too much on the technical, they miss key areas of responsibility.”
Knowledge is power
As is often the case with boards and technology, there are some common causes for a gap in understanding. “Boards typically don’t have technical expertise, so they’re sometimes intimidated by the topic and just want the company’s CIO and CISO to take care of it,” says Ragland. “So it’s incumbent on the CIO to provide the right board-level cyber education.”
If boards don’t fully understand their role until they’re in the middle of an incident, they bring unnecessary risk into the company they govern, and it falls under the CIO to educate the board on the primary risk of a cyber incident and how to prepare.
Developing areas of expertise
External assessments, says Ragland, are powerful tools for CIOs, too. “With boards seeking external validation on risks, just as they would financial fiduciary through an audit, it’s the executive responsibility of CIOs to provide them with that information, as well as having a fresh set of eyes on an always changing landscape,” she says. Audit and IT services have cybersecurity practices, and The National Association of Corporate Directors has recommendations for external assessments.
Boards want to build up their role in cyber, and they’re changing board member selection criteria as a result. “Boards shouldn’t limit their addition of technology expertise to security,” says Ragland. “Yes, security expertise is critical, but so is a board member who can address the strategic opportunity that technology brings to organizations. How are we using technology to advance our strategies, products, and customer engagements? As boards look to technology skills, they should look for someone who can bring both flavors into the board room.”
- What are the key responsibilities of boards in governing cyber security risk?
- What percentage of cybersecurity incidents start with human behavior error?
- How can CIOs provide effective board-level cyber education?
- What are the key areas of responsibility for boards in cybersecurity governance?
- How do boards prioritize investments in cybersecurity?
Second, boards should see that IT systems are, at their core, the automation of business processes to generate data. “Boards need to understand that some processes are highly automated in their organizations, and some are not,” she adds. “Some processes are more crucial to the organization’s financial results than others. From this lens, when CIOs talk to the board about vulnerabilities or investments, they understand the impact on processes and data, the most important investments. They don’t need to understand how the technology works.”
Cybersecurity executive leaders, whether CIO or CSO, have tremendous responsibility for bringing up their board’s cyber acumen. “CIOs should step away from technical presentations and move to a risk management format,” says Ragland. “Focus on business risks and how IT contributes to protecting the organization.” And don’t stop with the formal boardroom. In addition to presenting a few times a year, meet board members in less formal meetings. “CIOs should find a few people with the highest technical acumen to meet in more conversational settings,” she says. “The chairs of the audit and risk committees are usually a good place to start, and CIOs can leverage their CEO to jumpstart those meetings.”
For decades, we’ve been asking CIOs to leave the acronyms at the door and focus on business impact. With cyber and AI threatening to disrupt business strategies, it’s even more important today that CIOs contextualize technology in business terms the board understands.