cyber resilience framework

Are You Board Ready? Five Takeaways from Our Panel at RSA

We were honored to host an engaged group of attendees as founder Raj Shah moderated a panel discussion entitled “Are you board ready.”

by Brian Bochner , VP, Marketing

RSA is in the rearview mirror, but we’re still thinking about all the great things we learned by mingling with our peers. We were honored to host an engaged group of attendees as founder Raj Shah moderated a panel discussion entitled “Are you board ready.” Resilience advisor Richard Siersen, Stanley Black & Decker CISO Lucia *Name*, and Knostic co-founder Sounil Yu traded a few barbs but also some very practical advice for working with boards of directors. All the attendees and panelists agreed to Chatham House rules, and so we are bringing you some high-level ideas that resonated with the audience., 

Your relationship with the Board begins before you take the job.

As a CISO, you need to shape the board’s understanding of cyber risk from your first conversation. Whether your board has a sophisticated understanding of cyber risk, you need to come to a shared understanding of what you stand to lose materially as well as the prescient threats that could lead to those losses.  From there, you can have a productive conversation about what risks to accept, mitigate, and transfer. Oh, and make sure you own your communications with the board. Do not get disintermediated, especially by someone who is not a security expert. 

There are so many frameworks, yet there is no framework.

In security, we have many frameworks—from network security to AI to Zero Trust—but no framework for working with a Board of Directors. There are committee structures that define governance and decision-making, but there is no framework for a common understanding of cyber risk, like a balance sheet. CISOs have to develop their own way of communicating risks

Speak to your directors in dollars and cents.

Most Boards and CISOs don’t have a singular metric for discussing risk, and they may not even mean the same thing when they say the word risk. Many boards will ask binary questions like, “Are we secure?” rather than more nuanced questions like, “How are we protecting our most valuable assets?” CISOs need to be able to answer these questions with financial figures so everyone is speaking the same language. 

East and West or Left and Right?

A great analogy for communicating the term “risk” is around how we distinguish its application across strategy vs tactics. Strategy is at the global level – east and west, while tactics are at a street level – left and right. They’re both types of directions CISOs need to be fluent in both worlds. You can’t tell someone to get from New York to San Francisco by turning left; nor can you tell someone to go west to get to the grocery store. To do their job successfully, CISOs operate at a level of granularity that is too complex for most boards. But they must inspire confidence and influence the BOD, translating problems without creating confusion. 

Storytelling is key for the CISO 2.0…or 3.0 or 4.0.

We are almost 35 years into the internet era and 30 years since the first known CISO was appointed. First generation CISOs had to be very technical to tame the Wild West of early networks and applications. While technical skills are still important, all attendees agreed that storytelling is the top skill needed in today’s CISOs. To work effectively with directors, CISOs must be persuasive risk managers, not just technologists managing security controls and strategies.

The CISO role has evolved into one of the most interdisciplinary technical business officers, with unique requirements to both be in the weeds and see things from a macro perspective across technical and functional lines of business. Thank you to our esteemed panelists and attendees for sharing your expertise with one another; it is the truly best part of RSA. 

You might also like

third-party cyber risk management

New Frontier: Cyber Risk Mitigation with Superforecasting

You’re a CISO, bombarded from all sides. New vulnerabilities emerge daily, vendors tout countless security solutions, and your inbox overflows with security alerts. Your skilled analysts are stretched thin, struggling to keep pace with the ever-evolving threat landscape. How do you make sense of it all? How do you prioritize investments, allocate resources, and make […]

third-party cyber risk management

Cybersecurity Essentials: The Role of Vulnerability Management in Building Cyber Resilient IT Systems

Navigating the complexities of cybersecurity requires a strategic approach to mitigate risks and safeguard IT systems. Central to this approach is vulnerability management, a systematic process that identifies, assesses, and prioritizes vulnerabilities within organizations’ infrastructure. Understanding what vulnerability management entails and how it contributes to preemptive cyber defense is critical.  According to a recent report […]

third-party cyber risk management

Mastering Cybersecurity Risk Metrics: A New Way to Think About Cyber Risk

Digital threats are not just possibilities but inevitabilities; understanding and calculating cyber risk is more than a precaution – it’s a necessity. Understanding cybersecurity metrics is essential to safeguarding and improving business operations. Calculating cyber risks simplifies complex issues and empowers professionals to communicate them clearly to improve their organization’s digital security. This requires a […]

third-party cyber risk management

Evolving Cybersecurity: From Risk Management to Cyber Resilience

With an astonishing 95% of cybersecurity breaches attributed to human error, organizations must educate, train, and implement a security foundation for all employees. This staggering statistic highlights the vulnerability of humans within digital infrastructures and underscores the importance of building a security-forward mindset into the culture of resilient businesses.   As cyber threats continue to lead […]

third-party cyber risk management

Counting the Cost: Understanding the Financial Risk of Cybersecurity Breaches

Cybersecurity breaches stand as a relentless challenge for organizations worldwide, causing substantial financial repercussions. As cyber threats advance in complexity, the economic impact on businesses intensifies, affecting everything from upfront costs to sustained financial health.  A thorough investigation into the financial risks posed by cybersecurity breaches reveals the breadth of direct and indirect expenses that […]

third-party cyber risk management

Rewriting the Rules of Cyber Security Risks: Part II

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security […]