Best Practices for Executive Reporting to the Board
In November 2021, investors sued the (then)SolarWinds Board of Directors for breaching their fiduciary duty of care byfailing to monitor known security risks. Though SolarWinds settled in court ayear later, the repercussions still resound loudly for all cybersecurityleaders.
“Directors need to understand and approachcybersecurity as a strategic, enterprise
risk, not just an IT risk.” Principle 1
“The Director’s Handbook on Cyber-Risk Oversight”, National Association
of Corporate Directors (NACD)
The NACD’s Handbook on Cyber-Risk Oversights dedicated to guiding board oversight practices in the cybersecurity field. According to a study conducted in 2022 by MIT Sloan, “the CEO who follows the consensus Cyber Risk Principles is predicted to have up to 85% fewer cyber incidents.”
The NACD principles require the Board of Directors (BoD) to understand cybersecurity as a business risk and further, the legal implications of cyber risks. The NACD principles also require that the BoD give adequate time to cyber-risk management on board meeting agendas, and Boards are listening. Cyber risk has now become an integral part of the boardroom agenda. It’s clear that boards are becoming increasingly cyber-literate. Now more than ever, it’s necessary for CISOs and other security executives to equally become board-literate.
For CISOs to foster board literacy, they need to understand the motivations behind board decisions. Boards have a fiduciary responsibility to oversee strategic, financial, and operational oversight decisions. You can expect your BoD to ask the following10 questions:
- What is the spend on our cybersecurity program and our ROI?
- What threats pose a significant risk to our organization? To our peers? Are we prepared?
- What is the level of risk that we can tolerate as a business, and how are we tracking against it?
- What vulnerabilities post significant risks to our organization and how are they prioritized? How long do they take to get resolved? Is this a sufficient timeframe?
- What is our risk appetite, risk toleration and the current state of our aggregate risk?
- How does our security maturity compare to our peers and industry on average? Should we invest in anything more? Where can we improve?
- How many cyber incidents has our company experienced in the last reporting period? What was the resulting loss?
- How mature are our cyber-risk management practices? How do we calculate risk?
- Is our cybersecurity spending adequate given the threats we face and our risk appetite targets? Should we spend more or less and what for?
- Are we making the right business and operational decisions? Where can we improve?
Answering the questions above in ways that resonate with your board is not an easy task. For that reason, we provide some tips below:
- In most cases, Security executives should avoid showcasing operational metrics unless they are helpful in for the Board to understand the state of compliance and any outstanding critical issues, or if they are useful in discussing patterns, trends, benchmarking, and in case of reporting on incidents, root cause(s).
- Your BoD wants to know if you are fully secure. Assure them that in light of the evolving threat landscape and the impossibility of eliminating all sources of risk, you are operating security in high confidence. In the event you are not, be transparent and let the Board know what it is you need to build a sustainable program that balanced the need to protect against the need to operate with speed and at scale.
- Align your progress to a well-known framework (e.g., NIST CSF, ISO 800-53, ISO 27001/2) or a hybrid as you see fit. The purpose is for your Board of Directors to acclimate themselves to your continuous and evolving state of maturity. It is also a helpful way to benchmark your progress internally and by industry-best practice.
There are no perfect answers to meeting most if not all board questions; however, a general compass does exist. Security executives must understand that the Board of Directors is interested in advancing the business goals, so for as long as Security executives are also aiming to advance business goals, then they will eventually find Board alignment.
Learn more about how ULTRARED enablesbusiness-ready vulnerability metrics tailored to your asset criticality and threat exposure here.