Cybersecurity Reporting: What Boards Should Expect from Management
Chief security officers must communicate cyber incidents in a straightforward, understandable fashion.
In a business landscape that is increasingly complicated by cybersecurity threats, boards should expect effective communication on the cybersecurity risk management program from company management. That communication should come from the individual most qualified to convey the information: the company’s chief security officer.
Hardly a day goes by without a large security incident being reported. Boards and management are being held increasingly more accountable, and every director I have interacted with knows of or has been involved in a security incident featuring significant losses.
For many directors, cybersecurity is a foreign topic, since it is unassociated with finance, marketing and other traditional disciplines. How do you get assurance from management that they are appropriately protecting the company? How do you fulfill your own fiduciary responsibilities for the company?
The answer: Boards should walk away from a cybersecurity briefing with confidence. That is all.
Boards should be confident that their management is appropriately mitigating cybersecurity risks. Confidence takes a few forms:
- Confidence in cybersecurity leadership
- Confidence that management supports the program
- Confidence that there is an appropriately executed cybersecurity program
- Confidence that the cybersecurity program is forward-looking
- Confidence that cybersecurity tradeoff decisions are made appropriately, with consideration of commercial, regulatory and security interests
There are five topics that the board must expect a briefing on at least twice per year. This briefing must be conducted by the company’s chief security officer (CSO).
Industry Update and Company Implications
Every director reads newspapers, websites and blogs, and they see a never-ending set of stories about ransomware, large data exposures, bugs, vulnerabilities, regulatory fines and more. However, these stories are rarely explained and their implications never detailed in the news. The board must expect that the CSO:
- Is well-versed in industry incidents.
- Can explain cybersecurity incidents so that directors who may not be familiar with technology can understand.
- Can explain the implications to the company.
- Will lay out the steps taken by the company to mitigate the risk.
For example, in 2017, there were major headlines about ransomware, such as WannaCry and NotPetya, and the large losses they were creating for impacted companies. The board should expect their CSO to explain how the ransomware spread so quickly and point out why the company was also at risk — and then explain that the risk did not manifest because of a strong, metrics-driven cybersecurity vulnerability management program. A timeline of the ransomware event in the industry, overlapping with what the company had done to mitigate the risk internally, would be appropriate. All of this –provided proactively – is what the board should expect.
Company Cybersecurity Posture
The company cybersecurity posture covers interrelated areas, such as:
- Risk assessment. The board should expect the CSO to demonstrate expertise of the universe of applicable cybersecurity risks and their potential impact on the company, and that the company is implementing appropriate measures to mitigate the identified risks. I prefer a standard heat map with associated explanations (see below), but there are many ways to communicate a risk assessment’s results.
- Key incidents and trends. In every organization, there will be cybersecurity incidents of differing impact. The board should expect a briefing on key incidents, their root causes, failures in controls, lessons learned and projects initiated to ensure continuous improvement. Directors should receive reports on any trends in incidents or control failures as well as what has been done to counter attacks or phishing attempts. Boards gain confidence when they know that, while there will be incidents, there is a measured, analytical process for managing them and ensuring that lessons learned are incorporated into the cybersecurity program. Bear in mind that boards should be highly concerned if there are no reportable incidents in two consecutive reporting periods.
- Key projects. This update must be consistent with the risk assessment and key incidents update. Why? Management should not initiate a project unless it is strategically planned, related to significant risk as indicated by the risk assessment or related to control failures or gaps that led to incidents.
Education on a Relevant Cybersecurity Topic
Directors are, or have been, high-level executives within their companies. They are not used to being the least knowledgeable person in the room on any topic. However, as a group, they are often not cybersecurity experts. The field of cybersecurity moves so swiftly that even experts in the field can be left behind. Directors should ask simple – but searching – questions such as:
- What is the cloud, and what are the security implications? If our cloud is hacked, who bears liability?
- What is the dark web? Why is it called that? What information is on it? Is our data on the dark web? How would we know?
- What is a bug bounty, and why might we consider it?
- What is encryption at rest, and what does it guard against? Why can’t we encrypt everything?
- What is the issue with ransomware? What if we just paid the hackers?
Directors are loath to show their ignorance of cybersecurity. The board must expect (or demand) an educational component at every briefing. This topic may be something recent in the news (such as SQL injection), it may be something that aligns with the company strategy (like cloud everywhere or mobile everywhere), or it may be something exciting and sexy (perhaps the dark web). The board is entitled to a thoughtful and gentle explanation of the topic, the implications for the company and what the cybersecurity organization is doing to address these implications.
Indicators of Operational Efficacy
The board should ensure that the CSO is not communicating metrics that are too technical, do not have a correlation to risk, do not have a correlation to business value or are not controllable. Indicators of operational efficacy must be aligned with the risks identified in the company risk assessment. For example, a key risk might be exposure to attacks from publicly exposed websites. A key mitigation strategy would be a vulnerability management program. Metrics would be the number of systems scanned, the coverage across the enterprise, the number of open high-risk vulnerabilities and the average time to remediate a high-risk vulnerability. Boards should question CSOs keenly about their choice of metrics to make sure the metrics are:
- Directly correlated to risk and business performance.
- Straightforward to measure and have little ambiguity.
- Comparable, either to best practices or to industry benchmarks.
As an example, the three biggest risks for a corporation may be its external web footprint, phishing and social engineering, and third-party vendor management. Appropriate metrics would be:
- Coverage and visibility of external web footprint, high-risk vulnerabilities on external web footprint and mean time to remediate a high-risk vulnerability.
- Results from phishing simulations of employees.
- Percentage of high/medium/low-risk vendors who have completed risk assessments.
Indicators of Strategic Direction
Directors not only should want to know that immediate cybersecurity threats are being addressed efficiently, but also should expect assurance that leadership is looking ahead of the curve. Cybersecurity is a fast-moving field. What is ultramodern today will be obsolete tomorrow. The same logic applies to threats. While some threats are universal and long-lived (such as social engineering), others come and go quickly. The board should expect a measured, strategic, forward-looking direction of progress. The CSO might, for example, extrapolate risk assessment results to position cybersecurity strategy toward a three-year plan to implement multifactor authentication for all employees.
Or the CSO might provide a strategic direction for logging and monitoring, which focuses on quicker risk detection and mitigation:
- Today, year 0. Manual logging and monitoring
- Year 1. Automated monitoring with alerting
- Year 2. Orchestration of mitigation activities to include automatic blocking of alerted traffic
- Year 3. Integration of threat intelligence feeds into monitoring and orchestration framework
The board should lack confidence in management if the company’s strategic direction is inconsistent with the risk assessment, does not improve poorly performing program metrics or does not look to improve known incident trends.
Aurobindo Sundaram is head of information assurance & data protection at RELX.