The board of directors is among the most influential entities in most companies, as it is responsible for setting policies for managing the business. However, when it comes to emerging risks such as cyber, some boards may either lack knowledge about the risk or are hesitant to adapt to the changing reality.
In a session at the recent RIMS Live 2020 virtual conference, Rich Baich, senior vice president and chief information security officer (CISO) at AIG, discussed the importance of having the board on the same page with risk professionals and the CISO with regard to cyber risk.
According to Baich, board members can be held liable for failing to act when faced with reasonably known cyber threats.
These include failing to maintain an appropriate cybersecurity program, failing to protect company assets and businesses by disregarding cyberattack risks, failing take necessary steps to protect customers, employees, or financial information, as well as failing to notify stakeholders in case of a data breach/cyberattack.
Baich illustrated two types of boards with regard to cyber – the cyber-uninformed board and the cyber-aware board.
The cyber-uninformed board, he said, does not view cybersecurity as a strategic threat, and it is often overshadowed by other issues, including competition or talent recruitment and retention. This kind of board also has inadequate cyber security processes and does not regularly discuss cyber risks and contingency plans with experts in the field.
Furthermore, the board does not believe that cybersecurity threats are universal and refuses to take ownership of these risks.
On the other hand, the cyber-aware board “holds executive management accountable for evaluating current cybersecurity risks and maintaining response plans,” Baich said. Importantly, the board receives timely updates from the CISO and regularly reviews and approves the company’s cybersecurity strategy.
The cyber-aware board also asks relevant questions to determine whether adequate cyber risk management is in place, and encourages governance through oversight and committee structures.
“These reports need to be concise, focused on risk identification, risk mitigation, and most importantly, risk prioritization,” he said.
“This is why the CISO must build trust with the board, focusing on issues, plans and timeframes, and validating the closure of these issues. The CISO must have the courage to inform abut also the acumen to demonstrate solutions and the demeanor to ensure that the solutions are completed in the right fashion.”
According to Baich, the most successful organizations engage the board with a unified view of risk. This is achieved by defining the board’s risk oversight role, fostering a risk-intelligent culture, incorporating risk intelligence into strategy, and heling define the organization’s risk appetite.
He said that “the CISO must work closely with the chief risk officer (CRO) to help define appropriate risk appetite metrics for the information security discipline.” The CISO’s top duties, he added, is to make sure that the organization knows about the cyber risk, gets the right information as quickly as possible, and, most importantly, decides which of those risks need to be acted upon and in what timeframe.
In working together with the CISO, the board must “set the tone from the top and make sure the organisation has a cyber-aware culture,” Baich said. The board should seek to understand the mandate and role of the CISO. This includes getting to know the security team and its processes before an incident occurs. The board must also endorse the CISO’s network of influence and, at the same time, assess the CISO’s performance and the organization’s security posture.
Meanwhile, from the CISO’s side, they must align with the organization’s risk appetite and business priorities by provide clear and simple plans to address the highest-priority risks while continuing working on risk reduction.
Mutual trust and constant contact are important to allow the CISO to know the essence of what the board wants. CISOs must also be transparent and connect the dots, with the courage to admit where the organization’s weaknesses lie and present a plan to improve on said weakness.
“In the end, the chief information security officer needs to build trust with the board through good risk discipline, by providing appropriate reporting that demonstrates what risks are being prioritized and how they are being mitigated,” Baich said.