As previously discussed, many Boards of Directors have recruited members with deep cybersecurity experience. This is due to the continued increase in the magnitude of risk that is emanating from this domain. This should not be seen as a slap in the face of a CSO or CISO, even those that have not been asked to present to the board. There are several reasons that this has not occurred.
Perhaps the biggest reason is that the CIO is speaking for CSOs and CISOs, and it's taking place far more frequently then I had thought. Chief Information Officers want to control the message! One specific example: the head of cybersecurity was asked to prepare a cybersecurity report on the organization’s operations. While in the process of doing that he was summoned to the CIO’s office for a meeting – just between the two of them. The CIO told him that under no circumstances was he to show anything relating to his report to anyone. Once the report was done he was to submit the report to the CIO in an editable form and the CIO would take it from there.
This puts you in a very difficult situation. What happens if you do not agree with the changes that are made to your materials? What do you do? Are you in a position to risk your job?
The increased attention that cyber is receiving at the C-level and in the boardroom has made this a very sensitive topic. If you are requested to brief the board you should be prepared to discuss the topic of interest to them. Based on the last few months, here are the topics I believe are most relevant.
First, be prepared to talk about the cybersecurity risk indicators that are most relevant to executive risk management. It has been my experience that putting this in terms of dollar amounts works best. Using the dollar-value of the digital assets owned by the organization is most effective. I also use the latest estimated average loss due to a breach.
The second question is what are the current cybersecurity threats most relevant to the organization, and what is likely to come next? The first part is easy. Use your security event logs and real numbers about the types of events that the organization is experiencing. The second part is a bit trickier! I use industry reports coupled with government reports and announcements and put those in context to the organization.
The third question puts the focus on defenses. They want to know if the organization can properly defend and are prepared in the event they come under an attack and the attack is successful. Knowing your current cyber defense state is essential, and putting it in context with your peers goes a long way. You should also be prepared to tell them the top one or two things you feel that could be done to further your defenses, along with the rough costs to implement those measures.
Keep it simple, direct and to the point Have supporting information and answer the questions openly and directly. To do this you must do your homework and keep up to date with all that is going on in this space.