A recent survey of Directors by NACD revealed the second most significant issue that will undermine their companies’ strategic objectives is a cyber-attack. As both a security executive, and active advisory board member, my only surprise is that it’s not number one.
I’m encouraged by the increased focus CISOs and Boards have been putting toward viewing cyber risk as a business problem. It’s equally encouraging that the risk is being thought of in dollars and cents and impacts to the business.
We are clearly on a path to better insight. Yet half of us believe that a cyber attack will disrupt our business strategy in the next 12 months. What happens when there is a significant breach or cyber event? In times of crisis are the Board and CISOs ready to deal together with a cyber attack and its strategic impacts while it’s occurring?
I asked some of my highly esteemed security colleagues their thoughts. Few of them had formal processes for disclosing to their boards how they managed security incidents. When I probed my board peers on the same topic, the resounding answer was “outside of reporting, we are not part of any cyber processes.”
Take this example – a healthcare company finds itself on the receiving end of a breach that has taken out their HVAC system in the middle of a North Carolina summer where temperatures have surpassed 100 degrees Fahrenheit and patients’ lives are now at risk. A 5-minute report to the board every quarter is not going to prepare us as a team to work together. Figuring it out while patients are overheating is not the time to do it.
It’s time we push ourselves to not only report on cyber risk as a business value but prepare ourselves (Boards and C-suite executives) for its impacts to strategy prior to it happening.
This is the part of the blog where what usually happens is the author suggests an incredibly costly and time-consuming approach that uses Dilbert terms like ‘frameworks, KPIs, registers, indicators, etc. As a recovering consultant, those things hold a place near and dear to my heart. I believe that there is a season for those things, but it’s not today. I also don’t think that the answer can be distilled in to a top 10 listicle that goes viral — although one can always dream.
We broach the subject and prepare our companies and ourselves – with the next Board meeting. We can do this without hijacking other initiatives or making a huge investment to start. Many of us just don’t know how to begin the conversation. CISOs are worried that Boards will overstep, and most Board members don’t know where to begin when it comes to “Cyber.”
Here are my suggestions for ways to approach preparing for a cyber-attack with strategic impact before things get too hot:
Know each other. The next time the CISO briefs the Board, plan time in for some relationship building. Tack the agenda item on before lunch — or even better happy hour — and break bread, have a drink. It’s much easier to work through issues when you know each other by name and face.
Know your role. The CISO has a plan (if he or she doesn’t, that’s another blog post at another time). Ask to be briefed on that plan during one of your scheduled meetings. A very wise person once said to me that the role of the board is “nose in, fingers out.” As a board member – ask all the questions you need to during that brief. Then when the time comes, your role is to step back and lend support if called upon.
Know your resources. Incident plans typically include a cadre of resources such as general counsel, outside counsels, insurance companies, specialized cyber forensic organizations, etc. Make sure you have (and know) the arrangements with these support resources in place in advance. The best time to negotiate a contract with them is not during a desperate call at 3 am while your customer files are being held hostage.
Are there other things we can or should be doing? Always. But the above is a great start to allow you to keep your cool. If you agree- please feel free to share – the author wouldn’t mind this post going viral one bit.