Have you briefed your executives and board on the state of your security program?
How did it go?
Executives face a lot of pressure to lead the organization to successful growth. Security plays an increasingly important role in that process. Managing security properly is the difference between staying focused on what matters and getting distracted by security breaches or the like.
According to Peter S. Cohan, Lecturer of Strategy, Babson College (Faculty page, LinkedIn), that means boards are becoming -- or need to be -- more cyber savvy in order to ensure the executives are focusing on the right areas for growth.
Peter Cohan started his strategy consulting and venture capital firm, Peter S. Cohan & Associates, in 1994. He has completed over 150 consulting projects for high technology companies and invested in seven startup companies, three of which were sold for over $2 billion. Since 2001, he has taught strategy and entrepreneurship to undergraduates and MBAs at Babson College. He is a columnist for Forbes and Inc. His twelfth book, Disciplined Growth Strategies, was published in February 2017.
Disciplined Growth Strategies: Insights From the Growth Trajectories of Successful and Unsuccessful Companies argues that in a slowly-growing world, the most important job of business leaders is to sustain industry-leading growth. The book examines what makes the difference between the handful of companies that reach $10 billion in revenue and keep growing at over 20% and the rest. It concludes that these growth leaders are run by the world’s most capable CEOs – they approach growth challenges with intellectual humility, they create a vision and culture that attracts and motivates top talent, and they place big bets on growth opportunities
We talked about the surprising connection between his work on fueling growth and the role security plays. Peter’s insights are valuable for security leaders looking to reach or better support executives and board members.
What does it mean that boards need to be more security savvy?
As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.
At the same time, CISOs should educate board members about the best information security practices among peer companies as well as introducing board members to important trends in hacking and defense. Such briefings will help directors to evaluate proposals for investment of people and capital into new technologies and processes to protect companies against an ever-evolving information security threat environment.
Moreover, the CISO must explain news reports of significant information security breaches to the board. In so doing, CISOs should be prepared to answer questions regarding what happened, why it happened, how vulnerable the company is to the same kind of attack, and what action the company needs to take to better keep that kind of attack from happening to the company.
Finally, CISOs should give board members quarterly briefings on the level of vulnerability of the company’s information technology as well as the company’s information security goals and its progress towards achieving them.
In researching companies for my book, Disciplined Growth Strategies, I’ve discovered that the fastest growing companies are led by CEOs who follow the dictum of former Intel CEO, Andrew Grove, who noted that only the paranoid survive. More specifically, the CEOs I studied were always on guard for new opportunities that they could exploit and emerging threats that might undermine their growth strategies. What’s more, they recruited directors who shared that mindset. As we head into an increasingly unsafe world in 2017, it is imperative that board members become more technology aware and security-savvy as their organizations attempt greater digital transformation
How do we ease the transition to more security-savvy boards while improving the board/business literacy of security leaders?
Boards should develop a relationship with the company’s CISO. To do so effectively may require companies to hire a consultant who acts as a translator and who can reduce the mutual fear that may exist between the board and the CISO.
The board is afraid because it does not have the technical understanding of information security to fulfill its fiduciary responsibility to protect shareholders. And the CISO may be confident in his or her technical knowledge but be uncomfortable framing that knowledge in a form that board members can comprehend.
A consultant would be able to bridge this communication gap by conveying the board level perspective on information security risks to the CISO and by helping the CISO to frame responses to these concerns in a way that directors could grasp.
What is the availability bias and how does this help boards and security leaders come together?
Availability bias changes how people estimate the quantity of a future variable. When something is fresh in our minds – often because of relevant and prominent news reports – availability bias makes people overestimate how likely that event is to happen again. For example, if the morning news is full of reports about people being bitten by sharks, most people will think that shark attacks are more likely than they really are -- so they will stay out of the water.
When security breaches are discussed on the evening news, board members become more afraid that a similar breach could put their names in the news. Boards will ask questions when things are fresh in their minds – after a news report related to a security breach that is relevant to their industry -- and that appetite for information could give CISOs an opportunity to meet with board members. For example, retail directors were probably concerned in the wake of news of breaches at Target or Home Depot; entertainment industry directors asked questions after the Sony breach, and any company competing with Yahoo is certainly hoping that they do not meet a similar fate.
CISOs can use these news reports as reasons to initiate a conversation with the board about information security.
Why is it important to understand that competing risks fight for attention, too?
CISOs need to appreciate that board members have other important issues to consider besides information security. At each meeting board members are likely to be reviewing the company’s financial performance and prospects; evaluating legal and compliance matters; and evaluating capital investments above a certain amount.
In addition, boards are likely to be facing a basket of other risks that may be more sporadic. Boards should categorize such risks along two dimensions: frequency (high or low) and severity (high or low).
In so doing they should be prepared to help the board answer questions such as:
How sudden (and frequent) are the security breaches?
How severe are each of the security breaches – for example, does the breach require the company to pay ransom to a hacker or does it expose customer information and harm the company’s reputation?
Where do a company’s security vulnerabilities fall in this matrix compared to other unusual business risks?
Any unusual risk that moves into the high frequency/high severity cell of this matrix will demand immediate board attention.
Companies should use this approach to categorize all their business risks and CISOs should make sure that security vulnerabilities are included in this risk assessment framework.
How can a security leader get access to the board?
The CISO must learn how to sell to senior executives. Specifically, if the CSO reports to the CFO, he or she will not have direct access to the CEO. The CISO can only get access to members of the board if the CEO believes such access is essential. In that situation, the CISO will need to convince the CFO to let him or her speak with the CEO. If that conversation is successful, the CFO may agree to bring the CISO in to a meeting with the CEO intended to get the CEO’s consent to arrange for the CISO to meet with the board.
The CISO is likely to need coaching to structure the meetings with the CFO and CEO in a way that will lead to a favorable outcome. Such coaching might start with knowledge of the CEO’s most important business concerns and then assessing which of those concerns might become the responsibility of the CFO. It should then become clearer which CFO issues would likely be of interest to the CISO.
A coach should help the CISO to listen to senior executives, understand the specific business challenges they face, and envision how the CISO can use his or her expertise to help overcome these challenges. With that mindset, the CISO increases his or her odds of getting access to the board and making a contribution that board members find helpful.