Corporate Governance: Communicating Cybersecurity to the Board

In the rapidly evolving landscape of cybersecurity, effective communication with boards of directors has emerged as a critical concern for organizations worldwide. As cyber threats grow in complexity and severity, the lack of communication between cybersecurity professionals and board-level decision-makers has resulted in avoidable business losses. Recognizing the significance of this topic, the owner and managing director of CLASS-LLC, Keyaan Williams, has decided to join this growing conversation. The following interview provides valuable insight into the challenges and strategies involved in communicating cybersecurity effectively to the board of directors. Click the links below to listen to interview highlights and delve deeper into this critical subject. Join us as we shed light on the challenges, strategies, and best practices involved in fostering a robust cybersecurity dialogue between executives and their boards. 

You can click the link in each question to listen to the interview audio.

Kara Twombly: As a member of a board of directors yourself, why do you believe communicating cybersecurity effectively to a board is important?  

Keyaan Williams: One of the biggest issues on boards of directors is that most corporate directors are either chief executive officers or chief financial officers. Most of your directors are non-technical business executives, which makes cybersecurity a scary topic because a lot of people have been influenced by Hollywood and memes to think that cybersecurity is technical. There are unique experts who are the only people who know what's really going on, and it is an unattainable topic for businesspeople. When you reconcile that perspective with the rulemaking from the Securities and Exchange Commission, cybersecurity is really something that is going to set corporate directors up for failure. 

According to the SEC, they found that 90% of public companies that are subject to their oversight don't have the ability to meet the cybersecurity incident reporting requirements that have been documented for public companies. There are also studies that show that corporate directors on public boards spend less than one week per year talking about cybersecurity. So, you have this perfect storm where there is a significant leadership requirement that demands that the people running the business understand and provide guidance about oversight and management of cybersecurity risk. But the people in those positions think that it's somebody else's job. They pay no attention and then they hope for the best. 

Given all of this, a good thing that we, the professional security community, can do is to educate directors so that they make good decisions about risk appetite and risk capacity and the expectations of the leadership of the company. Directors must apply people, processes, and technology in a way that reduces risk as much as possible for the specific company in question. In a lot of cases, there are industry-specific factors that influence cybersecurity risk. For example, risk of cybersecurity in telecommunications is very different than risk in food manufacturing or risk in financial services, and because of those differences, it is extremely important that the board of directors, who already has a responsibility to operate in the best interest of the company, understands the exposure of the company and is driving activities that are going to reduce that risk or that exposure as much as possible. 
 

Cybersecurity and boards, neither of these things are brand new, but how would you say communicating cybersecurity to the board has changed over time? 

When you talk about the way that the activity has changed in terms of how communication happens, it's difficult to pinpoint when it took place. Major corporate disasters like Colonial Pipeline [2021] or like SolarWinds (2020) or big things that go all the way back to Target (2013) or the current things that are going on with MOVEit (2023) create a situation where corporate directors are going to the business and saying, “Hey, what the heck is going on? Are we susceptible to the same thing that happened to other people that are being talked about in the Wall Street Journal or on the news? What are we doing about it? How do we reduce our risk?” The inquiry from the board is increasing opportunities for security leaders and IT leaders and business leaders to have more time at board meetings to have more opportunities to communicate what's going on. 

I think the challenge is that having sat on a board of directors, the board meeting is not the place to get into a deep technical conversation. Part of the communication with the board is going to require additional discussion at the committee level, so that there's deep conversation that explores all aspects of what's going on, all of the options that are available and that sets up the board meeting to really be the place where you make a final decision about something that is well understood is well discussed and has had thorough examination. 
 

You've had a good bit of experience with boards over the course of your career. What would you say is your most notable experience with a Board of Directors? 

I provided a corporate board briefing to another company and I think that might be the best outcome I've ever produced for a board. I did it as a favor for a friend, but the outcome was meaningful because after a one-hour conversation, that company changed the way their board operates. They established a dedicated committee focused on oversight of cybersecurity risk, and they dedicated resources to make sure that the committee drove the actions and outcomes that they were looking for within the organization. 

It matters significantly because it was a $2 billion food manufacturing company that thought that cybersecurity did not matter. All of their investment went into feeding its food manufacturing. What they were able to understand after a one-hour conversation is that everything that goes into the manufacturing and the production line depends on cybersecurity, because all of that critical infrastructure relies upon industrial control systems and information technology. There's all this automation that happens that allows people to maximize the productivity of the company, and they had no consideration for “What is my security risk? How are we updating the industrial control systems? How are we patching the infrastructure? How are we making sure that only authorized people have access to very expensive processes that were developed over decades?” Whereby, if their competitors stole their process, their competitor doesn't have to spend hundreds of millions of dollars on research and development, they can just buy the equipment and compete with them directly without very much effort. The conversation kind of shifted from “We don't really care about this” to “Oh my gosh, we could go out of business if we don't do it right”. And because it happened at the board level, it guaranteed that resources were provided to management and staff and were distributed across the company so that everything that was talked about in theory actually took place in practice. 

What are the most important things for boards to understand about cybersecurity and what kinds of questions should members ask a CISO? 

I think the most important thing that the board should understand about cybersecurity is that cybersecurity is one category of enterprise risk that has to be managed. You're not going to only do cybersecurity risk management, but you're going to understand that all your risk and cybersecurity is going to be a part of that equation. Once you understand all of your risks, the concept becomes risk management as a business decision. It's not for the Chief Information Security Officer to tell the board what to do, it's really a situation where the board tells the Chief Information Security Officer: this is our strategy, these are our goals, these are the outcomes that we expect you to produce. Then the Chief Information Security Officer reports to the board on his or her progress accomplishing the goals that have been defined. 

In every case that I've looked at it in detail, when the board of directors asks the CISO to tell them what they should be doing instead of the board of directors telling the CISO what outcomes should be produced, you usually have problems because there is a lack of accountability and there's a lack of oversight. If the board sits back and waits for somebody to tell them how much risk is acceptable, how do they verify that what they were told is the right answer in the context of the business that they’re dealing with, appropriate for the business strategy and the objectives and the outcomes that they want to produce? It just doesn't make sense. That'd be like parents going to their children and saying, “hey kid, you're 7 years old, what time should you go to bed?” And the kid says, “well, I'm going to stay up till midnight because I want to”. And the parents say, “OK, let me know at 11:59 that you're about to get in the bed.” That sounds ridiculous in practice, but that is the situation that ends up happening in a lot of cases. Boards are going to their children and asking them what they want to eat for dinner, what time they want to go to bed, who their friends are going to be, what kind of movies they want to watch, instead of taking a leadership role and saying, “hey kid, I've been around much longer than you have in your seven years of life. As your parents, I'm going to set boundaries that are acceptable. You're going to go to bed at 8:30 because you're 7. You're going to only watch G or PG rated movies because it's appropriate for your age. You're going to have a well-balanced diet instead of eating pizza for breakfast, lunch and dinner.” 

That is the ideal outcome. It's the opposite situation of what happens in practice in the relationship between a lot of boards and a lot of CISOs simply because of a lack of education at the board level about what's important, what they need to know, and how they're going to have the CISO, CEO, and all the other people in the business provide good input, good insight, and good evidence that an effective risk management program is in place. 

Based on everything that you just mentioned, how can a CISO best communicate these points to the board? 

The best answer is relationship. The board meeting is not the place to have this conversation. The committee meetings that the board has on a regular basis are a better place to talk about everything holistically and in conjunction with all the other risks that the organization faces. The reason that I say that is because cybersecurity is not the only thing the companies have to deal with. 

If you're in a hospital, for example, there is a financial risk. If you're not serving enough patients and charging enough fees to justify the existence of the hospital, you may end up in a situation where you have to make a choice between do we purchase a new MRI so that we can serve more customers and generate more income, or do we spend $1,000,000 on technical cybersecurity controls to reduce the possibility of a compromise that may or may not cause harm to the hospital in the future? 

There's always a trade off with risk management. If you only talk about cybersecurity in isolation, you missed the opportunity to compare cybersecurity risk to financial risk and operational risk and regulatory risk and reputational risk. If you don't look at everything together, you can't balance the tradeoffs and decide what is the best investment for the organization. If you do it in isolation, you may decide we need a $5 million budget for cybersecurity, but then it leaves nothing else to advance the business for the rest of the company. I’m using a hospital as an example, but you could apply this to any kind of business. 

You've kind of already answered the next question, but to reiterate, in your experience, what is the best way to illustrate risk to a board of directors? 

The best way to illustrate it is to talk about what the board has already said is the outcome they want to produce. It sounds counterintuitive, but it's the board's responsibility to formally document a risk appetite statement. It's the board's responsibility to provide oversight and make sure that all risk-taking falls within acceptable boundaries. It’s the CISO’s responsibility to communicate to the board “are we or are we not operating within the boundaries that have been established?” It may require education of the corporate directors to make sure that they understand their responsibility. Once the board understands their responsibilities and successfully executes their responsibility, the best thing that the CISO can do is say “we are within normal boundaries”, “we fall way below the boundaries”, or “we're right at the edge of going out of business and having a catastrophic existential event”. Communication about the status based on what the board has established is the best thing to communicate about. 

Do you think the board should have a CISO as a member or as an advisor and what are the advantages and disadvantages of these approaches? 

One of your challenges if you have CISO’s as members of the board is that the role of the board of directors is to provide oversight, not to do the work. There is a common cliche that they talk about with board governance that says the board should have their nose in, but their fingers out and it represents the idea that they smell what's going on, but they have nothing to do with baking the cake, frying the hamburger, or making the salad. What is likely to happen is that if you add a Chief Information Security Officer who has a very strong technical background to a board of directors, the Chief Information Security Officer isn't going to be able to provide value beyond oversight of cybersecurity risk, but that's not the only thing that a board does. 

In most public companies, you have three standing committees that you have most of your board members assigned to and then you have select committees that are established for specific purposes. None of those 3 standing committees that exist on most of the boards for the Fortune 1000 companies focus on security or focus on technology in general. You might have a select committee as a data governance committee or as a risk committee. The moral of the story is that given the way that boards operate and their priorities, you can't have a board member that is a one trick pony who cannot contribute to the primary function of the board. And even if you add a CISO to the risk committee, the risk committee's purpose is to do enterprise risk and evaluate, provide oversight for, and direct activities to manage all of the risk the company faces - not just cybersecurity risk. 

Also, most boards of directors have a limited number of members. You don't have 50 people on a board of directors. It would not be wise to have one person that can do a fraction of the work and then everybody else is expected to do all of their work. It creates a situation where it is more likely that the board is going to lean on the Chief Information Security Officer as an employee of the company to execute the strategy that was defined by the board. Alternatively, the board is going to have somebody who has a business background, who has been on a board, and is educated in management of cybersecurity risk who can provide good advice, who could help the board identify the right questions to ask and who can help the board understand “is the answer to the question a valid answer.” It doesn't really need a full-time person. Lots of boards use consultants for a lot of things. I think it would be wiser to apply your limited headcount on the board to people who can contribute fully to any of the committees that person is going to be assigned to.  

In the first few minutes of this interview, we talked about how communicating cybersecurity to the board has changed over time. What do you hope to see in the future? 

On boards today, from the issue with Enron (2001) to this point, there has been a significant effort to make sure that corporate directors that have oversight responsibilities for finances are qualified financial experts. What I hope for the future is that the same thing happens with cybersecurity, whereby cybersecurity is not mysterious. Everybody understands what it is, how it works, and the value that it brings. And just like you have qualified financial experts, I think that the Securities and Exchange Commission should define a classification of qualified cyber expert and that all boards have a risk committee that focuses on oversight of cybersecurity risk, among other risks. It removes the need to take a CISO and plug them into the board. And as an alternative, it allows very smart businesspeople who contribute to the entirety of the board to have a better understanding of cybersecurity risk, how management of cybersecurity risk works, and then they can effectively execute all the requirements. 

For our last question of the day, where can people go to learn more or have more in-depth conversations about effective communication with the Board of Directors? 

Currently, there are limited resources. There's a directors and boards magazine that has great insight. There are professional associations like the National Association of Corporate Directors and the Private Directors Association that provide good advice. I would throw my hat into the ring as an organization that provides good advice because we talk about communication with the board at our event called the Cyber Strategy Retreat. This topic also comes up in our executive education course, the Cyber Executive Masterclass. I also post and write and speak and preach about good communication between the business and the board on a regular basis all over the world.