An open conversation about cyber-risk reporting to the BOD

November 19, 20199 min readSecurity Posture

A few days ago, I had the privilege of moderating a boardroom discussion of CISOs at the Evanta Dallas CISO Summit on the topic of Cyber-Risk Reporting for the Board. Evanta’s boardroom discussions are great since they serve as fantastic opportunities to benchmark various CISO topics, and to discover new challenges that the community is facing as well as ways in which these issues may be addressed.


Specifically for our topic, many recent surveys of cybersecurity professionals have raised questions about the effectiveness of communication between security teams and board members. Most C-suite and boardroom discussions on cybersecurity tend to be based on gut feelings and incomplete data. There is typically an elephant in the room which people don’t (want to) talk about: the gap between what’s in the Powerpoint slides vs the on-network ground truth. Our goal was to have an open discussion about how participating CISOs have their conversations with their boards, and to learn from each other.  Here is what happened…

First some basic stats:

Our session was attended by 17 CISOs from public and private companies from a variety of industry verticals including Finance, Insurance, Manufacturing, Retail, and Transportation. Rounding out the group, we had one CISO from the government sector.

In our group, all CISOs except one present to board members and/or audit committees multiple times a year. For larger or more security-mature organizations, the cadence is quarterly meetings with the audit committee and semi-annual or annual meetings with the full board. For others, there is no relevant board subcommittee and they present to the full board on a quarterly basis.

Many CISOs in our group (about 40%) said that they have spent a lot of time educating their boards about cybersecurity and breach risk and feel that their boards now understand the nature of the beast. Three CISOs are still in the early part of their “educate the board” journeys. The balance of our group is somewhere in the middle.

The persona of the typical board member was very succinctly put into words by one CISO: “accountants or lawyers, primarily concerned about expenditure or liability to the company” and “they don’t really know much or care about cybersecurity”. This is not surprising given the typical composition of board audit committees and the technical nature of cybersecurity. A couple of CISOs sounded upbeat on the news that some public company boards were now actively seeking to recruit at least one cybersecurity expert to their ranks. Some of our members also pointed out various boot camps now being offered to prepare board members for cybersecurity oversight.

Most  of our CISOs spend a lot of time preparing materials ahead of board/committee meetings and providing them to the board members as long as 30 days before the meeting. Some CISOs have found one board member they work with outside the regular meeting cycle to understand new concerns or questions that might be worrying the board.

Now three main takeaways from our discussions…

  1. Compliance *is* security While we have all heard CISOs and CIOs on numerous occasions exclaim but of course, compliance is not security. An organization can be completely compliant and yet quite vulnerable to a data breach. Many of the data breaches in the last decade have involved organizations that had passed many compliance-related audits. I have also written on this topic in detail as to why being compliant is not necessarily the same as having a good cybersecurity posture.

    Many CISOs in our group think differently on this topic. For them, an organization cannot claim to have a good cybersecurity posture without first attempting to align against and comply with some standards framework. More importantly, these CISOs are trying to drive home to their senior executives and board members that it is impossible to be compliant against any data protection standard unless they also have an appropriately good cybersecurity posture. This is used to drive budget allocation for important security initiatives using compliance dollars. Smart!

  2. Privacy. Our group’s CISOs are seeing privacy become a real hot button topic with board members with the advent of GDPR, CCPA and similar regulations. They are beginning to see asks from the board to be educated on these topics and informed about the state of “privacy compliance” of the organization. Many of our group’s members see this has a huge upcoming challenge in 2020 and beyond that is restricted not just to educating the board but also doing the same for many parts of their organizations. They foresee many difficult discussions that will wrestle with questions like: “what exactly do we do with our customers’ data” and “what things can we not do with this data” while “not stopping the business”.

    Along these lines, 3rd party vendor risk is also front and center for our group’s CISOs who see many potential bombshells in the yearly/half-yearly checklist-style cybersecurity posture questionnaires provided by their vendors. One CISO indicated that his organization had deployed VDI for key outsourced business processes to prevent any data transfer to a less secure environment.       

  3. Exceptions. This topic of discussion was not surprising to me, but the energy of the discussion from the majority of CISOs was quite astounding to see. Many of our group’s CISOs acknowledged that issues that fell into their “approved exceptions list” were not reported or discussed with the board. The exceptions list contains all sorts of situations including un-patchable or obsolete systems, missing controls, absent processes, non-compliant 3rd party vendors and so on…

    Some CISOs felt very strongly that this was their (very frustrating) Achilles heel – an official mechanism to sweep difficult things under the rug and prevent them from being discussed or reviewed with the board, a growing bubble just waiting to burst.

From my personal perspective: visibility is key. Unless you can accurately answer questions like: “what are my assets?” and “where is my customer data?”, you cannot even begin to ask the questions: “which of my assets are at high risk of breach and why?” and “is our customer data safe?” or assert “we are compliant” and “take all the right measures protect our customer’s data”.

Do you have real-time visibility into your asset inventory and cybersecurity posture (including all exceptions)? Or are you trying to do the hardest job in the world with 60% visibility and everything else in the exceptions list?  Here is some information on a framework for quantifying cyber-risk for your board and c-suite colleagues.

A very special thanks to our discussion leaders: Michael Britton, Eric Fisch, Mike Priest!