Chief Information Security Officers (CISOs) and company boards of directors are two great tastes that don’t always go well together. CISOs understand what threatens an organization’s computer systems and are responsible for shielding them from threats, or fixing them if they’re breached. Boards (who oversee the CEO) are the eyes and ears of shareholders. Their principal role is to increase the company’s stock price, keep the company from getting into legal or regulatory hot water, and grow the business.
In the past, CISOs and boards would have no need to talk, and hence no need for a common language. But times have changed. You need to look no further than Yahoo’s botched security – and the $300 million haircut that Verizon gave Yahoo shareholders – to know that boards need to be aware of information security problems. But the relationship between the board, the CEO and CISO is much more complicated than that. In order for CISOs to help boards, CISOs need to understand how CEOs and boards interact to achieve their goals.
In my new book, Disciplined Growth Strategies: Insights from the Growth Trajectories of Successful and Unsuccessful Companies, I examine the difference between the handful of companies that reach $10 billion in revenue and keep growing at over 20%, and the rest. My conclusion: growth leaders run by the world’s most capable CEOs approach growth challenges with intellectual humility, create a vision and culture that attracts and motivates top talent, and place big bets on growth opportunities.
But what do corporate growth strategies have to do with security, and why should CISOs care? The reason is because information security is one of several business risks that a company must minimize in order to maximize their efforts in creating sustainably high growth.
It’s all about priorities
In the grand scheme of things, boards and their chief executive have limited time, which they typically devote to two kinds of business matters – periodic and exceptional. Periodic matters include the company’s financial performance and prospects, and its compliance with laws and regulations. Exceptional matters are unusual threats that require attention – such as a public relations crisis, a criminal investigation of top executives, a terrorist attack or an information security breach.
[Hear FireEye President Kevin Mandia give his Interop ITX keynote address, From Fiction to Reality: Cyber Security’s Grown-Up Phase, on Wednesday, May 17, at the MGM Grand in Les Vegas.]
Boards decide how much time to devote to these exceptional matters based on two dimensions: frequency (high or low) and severity (high or low). When considering security issues vs. competing issues, boards ask questions like, how sudden (and rare) are the security breaches? How severe are each of the security breaches? Or, does the breach require the company to pay ransom to a hacker, or does it expose customer information and harm the company’s reputation? And, where does a company’s security vulnerabilities fall in this matrix compared to other unusual business risks?
As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.
At the same time, CISOs should educate board members about the best information security practices among peer companies as well as introducing board members to important trends in hacking and defense. Such briefings will help directors evaluate proposals for investment of people and capital into new technologies and processes to protect companies against an ever-evolving information security threat environment.
Moreover, the CISO must explain news reports of significant information security breaches to the board. In so doing, CISOs should be prepared to answer questions regarding what happened, why it happened, how vulnerable the company is to the same kind of attack, and what action the company needs to take to better keep that kind of attack from happening to the company.
Finally, CISOs should give board members quarterly briefings on the level of vulnerability of the company’s information technology as well as the company’s information security goals and its progress towards achieving them. In researching companies for Disciplined Growth Strategies I’ve discovered that the fastest growing companies are led by CEOs who follow the dictum of former Intel CEO, Andrew Grove, who noted that "only the paranoid survive."
More specifically, the CEOs I studied were always on guard for new opportunities that they could exploit and emerging threats that might undermine their growth strategies. What’s more, they recruited directors who shared that mindset. As we head into an increasingly unsafe world, it is imperative that board members become more technology aware and security-savvy as their organizations attempt greater digital transformation.