Three Axes of Discussion to Build up a Cyber Security Agenda at Board Level

Revisiting the questions the Board should ask (one more time…)

This piece in the HBR caught my attention (“7 Pressing Cybersecurity Questions Boards Need to Ask” — Dr Keri Pearlson, Nelson Novaes Neto — 4th March 2022), not least because I wrote on the same theme and framed it in the same way at least on two occasions in 2016 and 2019.

The scene setting around the “five things directors need to know about cybersecurity” is spot on, and echoes many aspects we have been endorsing and writing about at Corix Partners since 2015.

But when it comes to the “7 questions”, I am left slightly confused about who is meant to be asking them to whom; I assume this is a Board member asking the others and expecting answers probably from C-Suite representatives across the table, but I miss three elements:

First of all, I miss a clearer reference to the cyber threats the business is facing. This is not just about knowing what key assets have to be protected, but also understanding who and what could target them to cause harm to the firm (and how, and to what extent).

In fact, only a sound appreciation of the cyber threats involved can determine the nature and level of cyber protection required. You don’t defend yourself in the same way against rogue insiders motivated by financial gain, or state-backed actors motivated by stealing your IP.

It is the role of the Board to understand the level and nature of cyber threats the business is facing, and position them on a broader picture encompassing all other threats (for example, environmental or geopolitical), and in the context in which the business has to operate, often dominated by volatility, uncertainty and ambiguity.

Second, I miss a reference to cyber security maturity levels. This cannot be a one-size-fits-all exercise. In spite of the non-stop avalanche of cyber attacks of the last decade, not all organisations have reached an advanced level of cyber security maturity, and many have struggled with the deployment of protective measures due to adverse prioritisation by their business.

Understanding where the firm is on the maturity spectrum and looking without complacency at the root causes that have prevented progress in the past, should be key for the Board.

After all, cyber security good practices have been well established for over two decades, and to a large extent still provide a degree of protection against most threats.

Waking up today to a low level of cyber security maturity should not be treated as “normal” by the Board. The underlying causes have to be confronted: They can be financial (under investment), cultural (adverse prioritisation, business short-termism), or organisational (low reporting line of the CISO, absence of operating model); the most likely is that they will involve a combination of the three, and possibly other elements.

Understanding those should be key to position the questions the Board needs to ask at the right level, and in particular when it comes to assessing the adequacy of the investment required and targeting action to the right places.

Finally, I miss a broader reference to the governance framework within which cyber security measures have to deployed and executed. This is taking me back to my 2016 and 2019 pieces, and frankly, the “who’s in charge” question is still very relevant; to be more precise, it should be “who’s in charge of what” …

The Board is justified in pushing that agenda because of the escalating levels of cyber threats, coupled with the escalating complexity of the modern enterprise and its supply chain.

This is not about deciding whose head will roll in case of a breach but understanding how roles and responsibilities for cyber defence are documented and allocated across the Board, the C-Suite and the Firm at large.

This can no longer be left to semi-formal arrangements and vague job descriptions, and it goes way beyond having incident response plans and testing them. And it is not about “wheeling in” the CISO twice a year in front of Board either.

Accountabilities and responsibilities for cyber security need to be attributed formally across the Firm from the top down at the level of each relevant stakeholder and set in role descriptions, against which objectives can be defined and compensation determined.

Formalising cyber security roles and responsibilities would drive the formation and the backbone of a security operating model, against which investments can be justified, progress tracked, and maturity measured.

So, in conclusion, and revisiting one more time the questions the Board should ask around cyber security, I would suggest three axes of discussion, to build up the right agenda:

  • What cyber threats are targeting us? Which assets are they targeting? What harm can they cause and how?
  • How mature are we at defending ourselves against those threats? If maturity is not at a level deemed satisfactory, what are we doing about it?
  • Who is in charge of what in that context? How are organisational arrangements structured and formalised, in a way which would give the Board assurance that cyber security investments do deliver the expected level of protection, progress is tracked, and maturity maintained or improved?

We are also reaching a point of urgency in many firms where cyber security matters can no longer be explained away or delegated down by the Board.

Where that is the case, one Board member should own and drive such agenda. If the skills required to understand the situation are perceived as lacking at Board level, then they need to be brought in, permanently, temporarily or on an ad-hoc basis.

This is the only way to move things forward around cyber security where bottom-up approaches have failed, and a strong top-down push is required.