Threat Intelligence

4/25/2017
02:30 PM
Peter S. Cohan
Peter S. Cohan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why (& How) CISOs Should Talk to Company Boards

The C-Suite needs to minimize cybersecurity risk in order to maximize its principal goal of attaining high-level, sustainable growth.

Chief Information Security Officers (CISOs) and company boards of directors are two great tastes that don’t always go well together. CISOs understand what threatens an organization’s computer systems and are responsible for shielding them from threats, or fixing them if they’re breached. Boards (who oversee the CEO) are the eyes and ears of shareholders. Their principal role is to increase the company’s stock price, keep the company from getting into legal or regulatory hot water, and grow the business.

In the past, CISOs and boards would have no need to talk, and hence no need for a common language. But times have changed. You need to look no further than Yahoo’s botched security – and the $300 million haircut that Verizon gave Yahoo shareholders – to know that boards need to be aware of information security problems. But the relationship between the board, the CEO and CISO is much more complicated than that. In order for CISOs to help boards, CISOs need to understand how CEOs and boards interact to achieve their goals.

In my new book, Disciplined Growth Strategies: Insights from the Growth Trajectories of Successful and Unsuccessful Companies, I examine the difference between the handful of companies that reach $10 billion in revenue and keep growing at over 20%, and the rest. My conclusion: growth leaders run by the world’s most capable CEOs approach growth challenges with intellectual humility, create a vision and culture that attracts and motivates top talent, and place big bets on growth opportunities.

But what do corporate growth strategies have to do with security, and why should CISOs care? The reason is because information security is one of several business risks that a company must minimize in order to maximize their efforts in creating sustainably high growth.

It’s all about priorities
In the grand scheme of things, boards and their chief executive have limited time, which they typically devote to two kinds of business matters – periodic and exceptional. Periodic matters include the company’s financial performance and prospects, and its compliance with laws and regulations. Exceptional matters are unusual threats that require attention – such as a public relations crisis, a criminal investigation of top executives, a terrorist attack or an information security breach.

[Hear FireEye President Kevin Mandia give his Interop ITX keynote address, From Fiction to Reality: Cyber Security’s Grown-Up Phase, on Wednesday, May 17, at the MGM Grand in Les Vegas.]

Boards decide how much time to devote to these exceptional matters based on two dimensions: frequency (high or low) and severity (high or low). When considering security issues vs. competing issues, boards ask questions like, how sudden (and rare) are the security breaches? How severe are each of the security breaches? Or, does the breach require the company to pay ransom to a hacker, or does it expose customer information and harm the company’s reputation? And, where does a company’s security vulnerabilities fall in this matrix compared to other unusual business risks?

As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.

At the same time, CISOs should educate board members about the best information security practices among peer companies as well as introducing board members to important trends in hacking and defense. Such briefings will help directors evaluate proposals for investment of people and capital into new technologies and processes to protect companies against an ever-evolving information security threat environment.

Moreover, the CISO must explain news reports of significant information security breaches to the board. In so doing, CISOs should be prepared to answer questions regarding what happened, why it happened, how vulnerable the company is to the same kind of attack, and what action the company needs to take to better keep that kind of attack from happening to the company.

Finally, CISOs should give board members quarterly briefings on the level of vulnerability of the company’s information technology as well as the company’s information security goals and its progress towards achieving them. In researching companies for Disciplined Growth Strategies I’ve discovered that the fastest growing companies are led by CEOs who follow the dictum of former Intel CEO, Andrew Grove, who noted that "only the paranoid survive."

More specifically, the CEOs I studied were always on guard for new opportunities that they could exploit and emerging threats that might undermine their growth strategies. What’s more, they recruited directors who shared that mindset. As we head into an increasingly unsafe world, it is imperative that board members become more technology aware and security-savvy as their organizations attempt greater digital transformation.

Related Content:

Peter S. Cohan is a teacher, management consultant, angel investor, blogger, and author. He is a lecturer of strategy at Babson College, where he teaches undergraduate and MBA courses on strategy and entrepreneurship. He teaches foundations of entrepreneurial management, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Turn the NIST Cybersecurity Framework into Reality: 4 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1674
PUBLISHED: 2018-09-20
IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145109.
CVE-2018-1800
PUBLISHED: 2018-09-20
IBM Sterling B2B Integrator Standard Edition 5.2.6.0 and 6.2.6.1 could allow a local user to obtain highly sensitive information during a short time period when installation is occuring. IBM X-Force ID: 149607.
CVE-2018-3864
PUBLISHED: 2018-09-20
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long &quot...
CVE-2018-3865
PUBLISHED: 2018-09-20
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long &quot...
CVE-2018-17254
PUBLISHED: 2018-09-20
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.