Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/25/2017
02:30 PM
Peter S. Cohan
Peter S. Cohan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why (& How) CISOs Should Talk to Company Boards

The C-Suite needs to minimize cybersecurity risk in order to maximize its principal goal of attaining high-level, sustainable growth.

Chief Information Security Officers (CISOs) and company boards of directors are two great tastes that don’t always go well together. CISOs understand what threatens an organization’s computer systems and are responsible for shielding them from threats, or fixing them if they’re breached. Boards (who oversee the CEO) are the eyes and ears of shareholders. Their principal role is to increase the company’s stock price, keep the company from getting into legal or regulatory hot water, and grow the business.

In the past, CISOs and boards would have no need to talk, and hence no need for a common language. But times have changed. You need to look no further than Yahoo’s botched security – and the $300 million haircut that Verizon gave Yahoo shareholders – to know that boards need to be aware of information security problems. But the relationship between the board, the CEO and CISO is much more complicated than that. In order for CISOs to help boards, CISOs need to understand how CEOs and boards interact to achieve their goals.

In my new book, Disciplined Growth Strategies: Insights from the Growth Trajectories of Successful and Unsuccessful Companies, I examine the difference between the handful of companies that reach $10 billion in revenue and keep growing at over 20%, and the rest. My conclusion: growth leaders run by the world’s most capable CEOs approach growth challenges with intellectual humility, create a vision and culture that attracts and motivates top talent, and place big bets on growth opportunities.

But what do corporate growth strategies have to do with security, and why should CISOs care? The reason is because information security is one of several business risks that a company must minimize in order to maximize their efforts in creating sustainably high growth.

It’s all about priorities
In the grand scheme of things, boards and their chief executive have limited time, which they typically devote to two kinds of business matters – periodic and exceptional. Periodic matters include the company’s financial performance and prospects, and its compliance with laws and regulations. Exceptional matters are unusual threats that require attention – such as a public relations crisis, a criminal investigation of top executives, a terrorist attack or an information security breach.

[Hear FireEye President Kevin Mandia give his Interop ITX keynote address, From Fiction to Reality: Cyber Security’s Grown-Up Phase, on Wednesday, May 17, at the MGM Grand in Les Vegas.]

Boards decide how much time to devote to these exceptional matters based on two dimensions: frequency (high or low) and severity (high or low). When considering security issues vs. competing issues, boards ask questions like, how sudden (and rare) are the security breaches? How severe are each of the security breaches? Or, does the breach require the company to pay ransom to a hacker, or does it expose customer information and harm the company’s reputation? And, where does a company’s security vulnerabilities fall in this matrix compared to other unusual business risks?

As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.

At the same time, CISOs should educate board members about the best information security practices among peer companies as well as introducing board members to important trends in hacking and defense. Such briefings will help directors evaluate proposals for investment of people and capital into new technologies and processes to protect companies against an ever-evolving information security threat environment.

Moreover, the CISO must explain news reports of significant information security breaches to the board. In so doing, CISOs should be prepared to answer questions regarding what happened, why it happened, how vulnerable the company is to the same kind of attack, and what action the company needs to take to better keep that kind of attack from happening to the company.

Finally, CISOs should give board members quarterly briefings on the level of vulnerability of the company’s information technology as well as the company’s information security goals and its progress towards achieving them. In researching companies for Disciplined Growth Strategies I’ve discovered that the fastest growing companies are led by CEOs who follow the dictum of former Intel CEO, Andrew Grove, who noted that "only the paranoid survive."

More specifically, the CEOs I studied were always on guard for new opportunities that they could exploit and emerging threats that might undermine their growth strategies. What’s more, they recruited directors who shared that mindset. As we head into an increasingly unsafe world, it is imperative that board members become more technology aware and security-savvy as their organizations attempt greater digital transformation.

Related Content:

Peter S. Cohan is a teacher, management consultant, angel investor, blogger, and author. He is a lecturer of strategy at Babson College, where he teaches undergraduate and MBA courses on strategy and entrepreneurship. He teaches foundations of entrepreneurial management, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.