Threat Intelligence
4/25/2017
02:30 PM
Peter S. Cohan
Peter S. Cohan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why (& How) CISOs Should Talk to Company Boards

The C-Suite needs to minimize cybersecurity risk in order to maximize its principal goal of attaining high-level, sustainable growth.

Chief Information Security Officers (CISOs) and company boards of directors are two great tastes that don’t always go well together. CISOs understand what threatens an organization’s computer systems and are responsible for shielding them from threats, or fixing them if they’re breached. Boards (who oversee the CEO) are the eyes and ears of shareholders. Their principal role is to increase the company’s stock price, keep the company from getting into legal or regulatory hot water, and grow the business.

In the past, CISOs and boards would have no need to talk, and hence no need for a common language. But times have changed. You need to look no further than Yahoo’s botched security – and the $300 million haircut that Verizon gave Yahoo shareholders – to know that boards need to be aware of information security problems. But the relationship between the board, the CEO and CISO is much more complicated than that. In order for CISOs to help boards, CISOs need to understand how CEOs and boards interact to achieve their goals.

In my new book, Disciplined Growth Strategies: Insights from the Growth Trajectories of Successful and Unsuccessful Companies, I examine the difference between the handful of companies that reach $10 billion in revenue and keep growing at over 20%, and the rest. My conclusion: growth leaders run by the world’s most capable CEOs approach growth challenges with intellectual humility, create a vision and culture that attracts and motivates top talent, and place big bets on growth opportunities.

But what do corporate growth strategies have to do with security, and why should CISOs care? The reason is because information security is one of several business risks that a company must minimize in order to maximize their efforts in creating sustainably high growth.

It’s all about priorities
In the grand scheme of things, boards and their chief executive have limited time, which they typically devote to two kinds of business matters – periodic and exceptional. Periodic matters include the company’s financial performance and prospects, and its compliance with laws and regulations. Exceptional matters are unusual threats that require attention – such as a public relations crisis, a criminal investigation of top executives, a terrorist attack or an information security breach.

[Hear FireEye President Kevin Mandia give his Interop ITX keynote address, From Fiction to Reality: Cyber Security’s Grown-Up Phase, on Wednesday, May 17, at the MGM Grand in Les Vegas.]

Boards decide how much time to devote to these exceptional matters based on two dimensions: frequency (high or low) and severity (high or low). When considering security issues vs. competing issues, boards ask questions like, how sudden (and rare) are the security breaches? How severe are each of the security breaches? Or, does the breach require the company to pay ransom to a hacker, or does it expose customer information and harm the company’s reputation? And, where does a company’s security vulnerabilities fall in this matrix compared to other unusual business risks?

As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.

At the same time, CISOs should educate board members about the best information security practices among peer companies as well as introducing board members to important trends in hacking and defense. Such briefings will help directors evaluate proposals for investment of people and capital into new technologies and processes to protect companies against an ever-evolving information security threat environment.

Moreover, the CISO must explain news reports of significant information security breaches to the board. In so doing, CISOs should be prepared to answer questions regarding what happened, why it happened, how vulnerable the company is to the same kind of attack, and what action the company needs to take to better keep that kind of attack from happening to the company.

Finally, CISOs should give board members quarterly briefings on the level of vulnerability of the company’s information technology as well as the company’s information security goals and its progress towards achieving them. In researching companies for Disciplined Growth Strategies I’ve discovered that the fastest growing companies are led by CEOs who follow the dictum of former Intel CEO, Andrew Grove, who noted that "only the paranoid survive."

More specifically, the CEOs I studied were always on guard for new opportunities that they could exploit and emerging threats that might undermine their growth strategies. What’s more, they recruited directors who shared that mindset. As we head into an increasingly unsafe world, it is imperative that board members become more technology aware and security-savvy as their organizations attempt greater digital transformation.

Related Content:

Peter S. Cohan is a teacher, management consultant, angel investor, blogger, and author. He is a lecturer of strategy at Babson College, where he teaches undergraduate and MBA courses on strategy and entrepreneurship. He teaches foundations of entrepreneurial management, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.