Formerly known as Wikibon
Search
Close this search box.

The Digital CIO: Communicating to the Board on Cyber Security

Premise: Leading CIOs are changing the way they communicate to their boards about cyber security by emphasizing response, not infiltration. Rather than solely focusing on how to thwart penetration, CIOs are treating cyber security as an integral part of business/service continuity and risk management agendas, with a priority on rapidly responding to critical breaches.

Screen Shot 2016-06-30 at 10.53.27 AMCIOs are pushing for a new phase of cyber security awareness and transparency. Leading CIOs do not promote the false illusion that they can make companies impenetrable. Rather technology leadership today is operating under the assumption that compromise is a persistent and ongoing threat. When communicating to the board, CIOs must shift the conversation toward business impacts and response mechanisms and address technology issues in a context that engages, not alienates board members. Leading CIOs in our community are addressing board level communications by focusing on three main areas:

  • Evolving the problem statement.  Cybersecurity is emerging as a dominant geopolitical issue, but it’s not only a technology challenge. Lack of appreciation for the value of data assets, an ever-expanding threat matrix, a pervasive gadget culture that presumes technology can solve all problems and a tendency to focus cyber security responsibility on a few technologists, diminishes productive executive and board-level participation in cyber solutions.
  • Identifying the right regime for cyber security. Many organizations assign the responsibility of security to the technology organization. While leading organizations often have the CISO reporting into the CIO, they also create clear board level roles, approach cyber security as a total company activity and give the CISO greater autonomy and latitude to challenge the technology team, inclusive of the CIO.
  • Creating a meaningful communications plan with clear objectives. The board is seeking business solutions to the problem of cyber security to both protect the organization as a whole and at the same time minimize personal director liability. CIOs are creating communications plans which resonate with the board to foster productive dialog, create transparency and provide a basis for continuous improvement.

What’s the Cyber Problem Today?  

Securing the perimeter has historically been the main focus, but today the problem is shifting to one of response. Estimates vary widely, but our research indicates that on average, when an organization is infiltrated, it takes between 200-250 days to identify the breach and respond.

Organizations generally tend to operate in a world of information silos. This is an especially vexing problem when it comes to cyber security because it has the tendency to focus solutions on tools and processes that are narrowly applied within these silos and not consistently applied across the organization. However, most cyber-attacks aren’t limited to one domain. Attacks typically gain entry in one silo and seek to use that entry point to acquire access to even more valuable information resources somewhere else.

CIOs in our research community indicate that while they continue to do what’s necessary to keep the bad guys out, it’s much more important to communicate to the board of directors that you have a response plan in place and can lead the process.

You can dig a big, wide moat…it doesn’t matter…what’s more important is that you have everything planned out and you’re ready to deal with that incident and that response – because it’s going to happen…so how you handle that response can dictate your future.

–Link Alander, Vice Chancellor & CIO Lone Star College

Full Interview of Link Alander on theCUBE:

CIOs in our community also generally agree that most organizations don’t properly value data, which leads to inadequate protection and improper governance regimes. Because many organizations view information security as the responsibility of a few technology experts, there tends to be a lack of business alignment regarding the value of data assets. This has often led to a “one size fits all” approach to security.

For example, one manufacturing CIO we spoke to discussed how a poorly constructed SLA led to a misaligned response regime. Under the SLA, all threats were to be treated equally, which resulted in threats being differentiated only by time of incident. This led to a serious rift between the audit/compliance team, which wanted to prioritize response based on risk, and the security team, which used a time-based FIFO scheme. This example underscores two key points: 1) That security should be part of a broader business/service continuity plan and 2)  A security regime should build on the idea that when security stops, business stops.

What’s the Right Regime for Cyber Security?

Most organizations (~80%) indicate that the cyber security team (typically led by a CISO) reports directly into the CIO.  Some organizations have the CISO report to the COO or sometimes the CEO or even the general counsel. CIOs are generally aware of the need for checks and balances and prepare their security teams to openly judge the security practices of the organization, including the IT teams.

Leading CIOs in our community agree that cyber security is a shared responsibility that warrants board level attention. There is strong sentiment in our CIO group that security leads (e.g. CISOs) should regularly brief the board and cyber security should be on the agenda of the board.

I think cyber and the risks associated with cyber and IT need to be a regular part of every board’s agenda. I think there is value in having it as an integral part of risk management and so whether you focus specific attention in the audit committee (for example) and then have briefings for the broader board, probably is up to each company, but there is no question in my mind that when it comes to risk, for most companies today, cyber is right up there with natural disasters and business continuity and needs to be a responsibility in terms of oversight for a board. 

–Dr. Robert M. Gates, 22nd U.S. Secretary of Defense; current board member at Starbucks and formerly board member at Brinker International, Inc., NACCO Industries, Inc. and Parker Drilling Company.

Full interview of Dr. Gates on theCUBE.

CIO To-Dos

Security is a board-level problem and CIOs are in a strong position to educate, suggest proper regimes and lead response plans. Organizations must structure security as a shared responsibility with a combination of tech experts, audit/compliance, the general counsel, lines of business heads and the board of directors all sharing the burden.

In addition, CIOs must help their organizations quantify the value of data with frameworks that recognize data’s inherent lack of asset specificity – i.e. data has different value in different use cases. This will begin to enable organizations to enact controls around corporate intellectual property.  

Security responses should be “practiced” in the same way as disaster recovery plans should be tested. CIOs must move to a response-oriented approach to cyber where not only is security baked into application testing, but is part of a rehearsed response that focuses on identifying the threat, quantifying its business impact, assigning clear responsibilities for remediation and affecting continuous improvement by evolving best practice. Prior to approaching the CEO about presenting to the board, CIOs should develop a checklist that provides a framework for the discussion.

Action Item: The cyber security conversation is no longer a technical discussion about keeping teenage hackers off your network. Rather security has become a board level topic that is evolving into a crucial element of your company’s overall risk management and business continuity planning. CIOs must proactively approach CEOs to initiate cyber security communications plans for their boards of directors with a focus on the response protocol.  

Here’s a description of the method and data sources used for this research and a list of participating executives in the community who provided input to the study.

 

Keep in Touch

Thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out. And to Rob Hof, our EiC at SiliconANGLE.

Remember we publish each week on theCUBE Research and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.

Note: ETR is a separate company from theCUBE Research and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai or research@siliconangle.com.

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of theCUBE Research. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.

Book A Briefing

Fill out the form , and our team will be in touch shortly.

Skip to content