The good, the bad and the ugly: CISOs vs corporate boards

Board members with some level of digital literacy – and, moreover, those with an inflated sense of their tech abilities – may add substantially more cyber risk to digital infrastructure and to the direction of corporate cyber policies than those with no digital literacy at all, according to non-executive director and strategic security adviser at Youi, Steve Coles.

Speaking at FST’s Future of Security Melbourne 2022 conference this week, Coles, a former global chief technology officer for insurance giant Allianz and an industry-recognised IT and cyber risk expert, noted that up to half of all corporate boardrooms are made up of individuals with an unrecognised cyber knowledge deficit.

He classed this loose group as the “danger zone” for corporate cyber policies.

“You’ve… got 40 to 50 per cent of people within a board or an executive team that have a computer at home, and perhaps a network they’ve set that up, who now think they’re IT experts and [that] they’re going to dictate the way that companies should be employing technology as the next step.”

According to Coles, less than 20 per cent of a typical board could be described as “cyber literate” – those who understand deeper concepts of cyber and technology risk within a corporate setting, such as patch cycles or the components of a zero-day exploit.

However, he notes that boards have “made inroads” in recognising their tech expertise deficits and have moved to plug these capability gaps by inviting in more tech specialists.

Security chiefs, in most cases the CISO, also have a responsibility to “create that advocacy” within the boardroom, Coles stressed, to “build relationships, invest in them, be proactive” and establish those allies and advocates within board discussions.

CISOs, he added, need a significantly greater focus on education in order “to bring the maturity level up to speed across the whole board structure”.

“It’s not easy. And I’m sure you’ve all got some techniques that you’ve employed that could be successful.”

Rapid change over the last five years

Corporate board structures and accountabilities have fundamentally changed in Australia over the last five years, Coles argued, with expectations and responsibilities on directors far greater than at any time in the past.

Boards today not only take an active role in defining corporate strategies but also in approving and taking accountability for this strategic direction as well as the policies required – often dictated by regulators – to be adopted by a business.

“Monitoring and supervising we’re used to, but at a level that I never saw when I was presenting to boards in Australia in 2015.

“We, as boards, need to provide that accountability and that assurance back to bodies like APRA and ASIC. They have an expectation that boards have the capability and competence to do this effectively in a very technical topic, like cyber.

“This is not insignificant; it’s a big accountability and a complex topic. The challenge of trying to present this topic and get the right level of engagement and accountability to boards is not easy.”

Cyber practice: the good, the bad, and the ugly

Coles laid out several priorities – the “nuts and bolts” – for good security practice and for CISOs and fellow cybersecurity leaders to get the most out of their interactions with their corporate boards.

  • Education: Coles urged CISOs to “use any opportunity that you have to interact with the board” to improve education, awareness, to share ‘war stories’ or initiatives taken to improve control and exposures that CISOs have helped address “to improve that education awareness across that board structure”. This should not be a “one-off” exercise, Coles stressed, but an ongoing piece whenever CISOs have a “moment of truth opportunity” with their boards.
  • Engage the entirety of the board: While it may seem prudent to engage only with vested subcommittees with a specific technology remit, Coles said his expectation was for CISOs to “proactively” engage not only with subcommittees but also the board as a whole.
  • ‘Selling’ the cyber strategy: Organisational cyber strategies should be positioned in the context of the business strategy, where possible, Coles said. Key material cyber policies can also be submitted to subcommittees that “then take this directly to the board”, he said.
  • Make cyber risk comprehensible and digestible to everyone: “Many organisations I speak to and are moving to from broad risk perspective and from a cyber risk perspective into a risk management approach to how we assess risk and our compliance,” Coles said.Risk control framework and residual risks should be positioned to boards “in a language that they understand”. Ideally, he said, risk profiles should be “linked to the appetite of the board in the organisation”.Too often these frameworks are overly theoretical. “We’re seeing a lot of information that is interesting but doesn’t necessarily surface the key issues that an organisation may have”.Moreover, he added, risk-based assessments are frequently made “in isolation of any clear strategy and without any education awareness”. Solving this demands a more holistic approach from cyber leaders.
  • Dashboarding, fine-tuning insights, and presenting data with a clear objective: An acknowledged “pet hate” of Coles’, he nevertheless encourages dashboarding and reporting of key information with metrics and measures around how cyber achieves security objectives and resists threats.“The majority of the measures I’ve seen are I’d class as ‘numbers without a clear objective’.”The classic one is vulnerabilities and patches, where the board is presented with lots of numbers and statistics and a target of trying to reduce that over time. What does that mean? If a chunk of those vulnerabilities are critical and on internet-facing applications, trust me the board needs to know about that and needs to understand the action that is taken.”He added: “When you’re thinking of presenting to your board and presenting this information in reports, really think through the data you’re presenting and the relevance it has to the board.

    “Try to fine-tune that to the really important stuff that’s going that will truly make a difference in the discussion. Otherwise, everybody glazes over and moves on to the next item.”

  • Assurance building: When an opportunity presents itself – for instance, following a penetration (or ‘pen’) test or cyber-attack simulations – Coles urged CISOs to “use that as an opportunity to go to your subcommittee or board to explain the results, what we’ve learned, and what we’re doing differently next time”.“The board will be expecting this more and more as we move forward.”This should also be extended to post-incident reports – both for those that directly impact the organisation and for those that happen to market competitors. Such incidents should be used as an opportunity to improve awareness and educate boards.Coles also cited an example from an Australian bank’s ransomware simulation, which specifically invited the board in “to assess the impact and monitor the progress that would be made and support the decision-making process”.

    “They really got into some very specific issues around our recovery ability, the cost to the business of this ransomware attack, the potential to pay the ransom, and the commercial and ethical issues around all of this”. From a board perspective, he said, “this really surfaced some very challenging topics in a controlled environment”, offering a “really good example of positive engagement”.

  • Proactive engagement: “When your board is asking you to attend to present information, you’ve [already] lost the opportunity to influence.”CISOs, he stressed, should be a lot more proactive in raising these items with their board or their subcommittee, being more proactive at education as well as opportunities to present.“Don’t do what I was doing as a CIO/COO in 2015 – simply toddling along with a flash presentation once a year. Use any opportunity to be on the front foot with your board and bring them up to speed, because they will respect that. I have no doubt.”He referred to his own disappointing experience in his past experience presenting to the board “shiny things and not the context of the underlying risk of the organisation, not highlighting the exposure that we’ve got, which is real and present as a danger, not highlighting the strategy and the further investment that’s required to move forward”.

    “Please don’t do a [past] ‘Steve Coles thing’ and just focus on the shiny things. Focus on the real practical things that matter to your business and your shareholders.”

To the future

What does the future look like for CISO’s board engagements?

Coles, first and foremost, called on CISOs to be conscious of the increasing time and effort demanded of CISOs as board and subcommittee engagements inevitably increase.

“You need to build that into your already busy days; you need to think through how you can build a more efficient framework that you could do this, as well as making sure you’re doing the day job in terms of protecting your business.

“Do that groundwork early, because it’s definitely going to come around the corner.”

Secondly, Coles expects to see an “increasing sophistication of alignment between cyber strategy and overall risk management frameworks” within the organisation.

“And if you’re not already, make sure you’re buddying up with your risk team… [to ensure] complete alignment of that framework.”

“We’re going to see a lot of convergence with both business and taking a much more data-driven and risk-based approach to how we’re assessing risk.”

Finally, he noted that there will increasingly be a dollar value attached to risk mitigation: “the cost of exposure as well as the investment return when we’re making investments in closing a [security] gap, from a financial perspective.”

“The next step [is to] place not only a risk-based approach, but a dollar amount to risk, so we can see the investment and see the return,” Coles said.

He noted that some companies are in the “early days” of introducing such frameworks and hopes to see – and help – other organisations move in that direction.