Establishing Trust with Your Board—Advice for Security Leaders

By David Faraone, Sr. Consulting Director, Unit 42

For many Chief Information Security Officers (CISOs), reporting to the board of directors has been handled as a reactionary, albeit very necessary task. After all, it’s the board of directors that sit atop the corporate governance model, so it is incumbent upon security professionals to keep them informed. But communicating about security incidents—like the Log4j vulnerability, for example—fielding requests based on regulatory requirements, or answering questions about a breach that happened in the same industry should definitely not be the only moments that CISOs engage their boards.

On the contrary, security professionals should be in regular contact with their boards, keeping them informed and educated and establishing mutual trust. Ultimately, working together with the board of directors helps create a better security posture—something we all need.

The board’s role as the fourth line of defense

While the board is sometimes thought of as just another group that security leaders need to report into, this governance group can actually be much more.

A board of directors can and should be thought of as the fourth line of defense for an enterprise’s security. The first line of defense is the day-to-day security operations and capabilities managed by hands-on operational staff who are triaging incidences. The second line of defense is what we call the cyber governance function, while the third line is the internal audit and reporting function. So, the fourth line of defense is really the board of directors. It is critical that all four lines of defense are communicating effectively to eliminate gaps and create a cohesive cybersecurity operation.

How to proactively build trust with the board

Enabling the board to be a partner for security and an effective fourth line of defense involves both sides trusting one another. For security professionals, this requires navigating what’s important to the board in terms of three main elements:

1. Brand protection. Make sure that the organization’s brand is protected from an intellectual property, trade secret and reputation perspective.
2. Profitability. Ensure that the right security controls are in place to ensure that the company is profitable
3. Risk management. Know what to report to the board that really resonates with how the business could be impacted by cybersecurity threats.

Bring a return on security investment (ROSI) outlook

When communicating with your board, it’s important to make sure that everyone speaks the same language. It’s no secret that board members aren’t often cybersecurity experts. As a result, CISOs often struggle with what level of technical language to use—sometimes even shying away from sharing certain technical information because they really just don’t know how to communicate with these non-technical folks.

I also often see CISOs that really emphasize technical elements but are not being successful at communicating risk from a business standpoint that the board understands. The sweet spot to communicating with the board is keeping the audience engaged and effectively communicating those risks without scaring them.

Within Unit 42, we use a term called ROSI to help communicate the return on security investment. It’s vitally important for CISOs to articulate financially why certain security investments that are critical in the ROSI will be from a return perspective in terms of what assets are being protected and how they’re being protected. The ROSI should also explain what the net gain for objective security maturity is for the organization, not subjective maturity.

The Unit 42 framework for communicating risk to the board

One of the primary responsibilities that a CISO has to the board is to communicate risk in a proactive and meaningful way. Palo Alto Networks Unit 42 has developed a framework for communicating risk to the board that encompasses the following key steps and items:

• Inventory collection. You cannot protect what you don’t know about, so be sure to have a proper inventory of IT assets.
• Identify key assets. Discover and identify the most important assets, whether that’s individual data, applications, or specific infrastructure. It’s critical to understand the key assets that sit at the heart of the business.
• Security tool assessment. The organization needs to understand how well it is using the security tools it has to protect those key assets.
• Incident response capability assessment. If an incident impacts the key assets is the organization, be equipped to respond in a way that is effective and efficient.
• Testing and validation. Understand the tools and incident response capabilities. It’s critical to test and validate how those capabilities would look if a threat actor did attack the key assets.
• Board of directors’ resiliency briefing. The final step of the framework is to communicate to the board how resilient the organization is to potential risk. Aim to give the board actionable and objective results from the analysis and communicate them in a way that really links back to business.

Reporting metrics: Be a leader, not a laggard

We often see organizations reporting mostly operational security operations center (SOC) metrics such as the number of attacks, alerts, closed incidents or how many unpatched operating systems there are to show progress. But really, that doesn’t go far enough to translate cyber risk. Categorically, those SOC metrics should be considered as lagging indicators that result in reactive remediating measures.

We recommend CISOs present leading indicators that promote proactive security initiatives. A good example metric for a proactive leading indicator would be the number of third parties or supply chain risk management resources that have been assessed over the past 12 months. That metric shows not only how many high-risk supply chain resources there are but also how far the company is going in terms of validating the due diligence of those third parties.

Recommendations for successful CISO/Board communications

Building a successful working relationship with any board is a process, but the very first key is to establish the relationship. Get to know your board and understand what resonates with them in terms of business risk. Knowing their focal issues is the only way you’ll be able to communicate to them how you’re protecting their best interests in terms of the business assets and the business imperatives.

Also, take a data-driven approach to what is communicated to the board. Eliminating subjectivity wherever you can places you in a better position, as you’re simply stating the facts. That said, simply throwing up numbers on a slide doesn’t work either. What works is storytelling. Board members like to understand the introduction, the plot, the climax, and the resolution. So don’t just present data, but actually present the story behind it.

And fundamentally, remember: the board is part of the solution. They’re the fourth line of defense. As such, be sure to help enable and create a culture of empowerment, where leaders across the organization understand that security is everyone’s responsibility.

To learn more, visit us here.

About David Faraone:

David is a senior director at Unit 42, leading the North America East Region Consulting Team. He is a highly accomplished cybersecurity consultant with deep expertise serving large organizations in areas such as CISO advisory support, cloud security strategy, network security architecture and design, and Internet of Things security.