Questions that help CISOs and boards have each other’s back
Boards of directors and executives seem increasingly interested in understanding their companies’ security posture. And why wouldn’t they be?
The ransomware threat posed by organized crime groups is considerable, and its impact can be devastating and threaten the entire business. This makes it imperative for boards to ensure the company has taken necessary cybersecurity precautions to resist the threat. Additionally, executives have seen the value of efficient infosec firsthand over the last eighteen months. The efforts security teams have made to keep businesses safely functioning during a global pandemic have been impressive, if not heroic.
Regardless of why the C-level is focusing on IT infrastructure and strategy, this interest presents an opportunity for security teams. I know this is true because over the last few years F-Secure’s board has been refining how we cooperate to make better decisions about our security posture and risk appetite.
At the core of this process has been the creation of questions we use to make the best use of our time together. When approached holistically and answered honestly, these queries allow us to understand if we are focused on the right things, whether we are achieving our goals, and where our gaps are.
Since we would have benefited by having a list to start with, we’re sharing five of ours now to help other organizations.
Start with the easier ones
Here are the first three questions that I expect board members to ask me whenever they get a chance:
- What are the key threats against your top assets?
- How do you protect your assets from cybersecurity threats?
- Whose responsibility is it to implement protections?
The first two questions are routine concerns for every security manager and should not generate any sweat, except perhaps if you work at a company like F-Secure where the chair of the board has been working in cybersecurity for more than three decades and knows as much about the industry as anyone. Yet, even then, you should be able to answer these questions directly at any time, in any place.
The third question seems easy at first. But some moisture should appear on your brow if you give this question the respect it deserves.
If you’re a novice security manager, you might be tempted to answer the third question with a list of names. That might get you the head nods you’re after. Even worse, you might present your own name as the single answer to the question in a misguided attempt at self-promotion. But that would be a huge mistake.
An accountability approach should dictate who takes ownership of what. The vice president of human resources is responsible for organizing vetting; the chief information officer must be held responsible for IT security; and the chief financial officer must have plans for combating many forms of fraud, which include strategies for combating phishing and business email compromise, scenarios for handling ransomware attacks and efforts to harden the tools and processes utilized by accounts payable. The deeper you follow the accountability way of thinking, the more inclusive your leadership must be when it comes cybersecurity. This can’t be a lone-wolf operation.
The purpose of a security team is to become an ally for your executive team, not to passivate them. A proper security leader must determine—and share with the CEO and the board of directors, if necessary—whether the responsible persons are up to their tasks and committed to reaching security objectives. This is also a chance for the CISO to identify gaps and suggest improvements in areas that are lagging.
A confident CISO should also use this opportunity to shine a bright light on progress within the organization and give validation to anyone who has done a great job. I’ve also used the moment as an opening to emphasize when an investment in security in some place other than the core security team might give our organization a better bang for the buck. An example of this is recommending a focus on IT hygiene in the form of competent system managers and well-managed platforms. While this might shift assets from my team, my belief was that it could yield better security outcomes than piling more money into security information and event management (SIEM) and incident response (IR).
Being a CISO demands constant balance between trailing vs. leading. That balance must be built on commitment to accountability, for others and yourself.
Addressing risks from a business point-of-view
After these three warm-up questions, this is where you should pause and take a breath. You’re going to need the air. But you also want to pause to draw out all the potential power of your next question:
- Have you defined an acceptable risk level?
The question gets at the heart of your business leadership, something no CISO cannot claim a monopoly over. As CISO, you cannot decide what sort of risks the executive leadership or the board are willing to accept in the pursuit of growth, profitability, new markets, new ventures, etc.
The CISO’s role is to unearth threats to the business and describe them as risks with varying consequences. This, ideally, empowers leaders to form an opinion over what sort of exposure they want to take. You don’t respond to a question of an acceptable risk level with estimates of potential monetary costs. Instead, you should describe how confident you are that the risks have been properly identified, assessed, treated, and accepted.
A CISO should never seek to be the supreme acceptor of risks. Instead, the CISO’s job is to keep the conveyor belt of risk decisions up and running. That way leaders can concentrate on their most fundamental job: making decisions.
Really digging in
A key to answering these questions, I found, is reminding myself that board members want to understand, and they also want to help improve my thinking. That’s why my goal isn’t to give the performance of my life to zero interruptions and gazes of overwhelming admiration. I know I will be offered lots of places to improve, and I will get lots of opportunities to clarify the obtuse statements in my slides, especially as we move on to the final question.
This is when we really dig into the work that needs to be done—in a good way.
- How do we prove that the controls we have in place are effective against the threats that we know we face?
This answer can’t be boiled down to vague metrics or traffic lights showing that green is “good” and amber means “needs improvement”. We need to describe what it is that we have done to test and subject our assumptions to healthy criticism.
Our board needs to know if our assumptions survive when they’re put to the test. So does my team and so do I.
The multiple beneficial aspects of answering these questions have improved as we’ve practiced the process. The board understands way better the choices that we have made. They are ready to support us even when some choices that we have made turned out to be wrong, because they understand the path we took.
The “soft” part can be hard
At F-Secure, we talk a lot about how important “soft skills” like emotional intelligence are for security leaders. They may be as or even more important than the so-called “hard skills” that come from technical expertise.
In school, my minor was the psychology of leadership and organizational theory. These disciplines helped me understand how organizations work—how people as part of the organization either function or don’t function. As a CISO, open communication has been essential for improvement. And a commitment to honest disclosure across all the levels of the organization has helped us get closer to our goals. But honesty isn’t enough – I must also think about how people receive information.
I can’t tell business leaders about a technical threat, vulnerability, or configuration error, and expect that they will inherently understand why this is important to begin with. I need to translate that into what this information means for them. And if I request resources, I need to explain how the investment will pay back in the future. This is all about being able to ask and answer tough questions. And you’ll only be able to do that well in a crisis if you’ve been practicing this sort of dialogue before trouble hits.
The ability to let a board member know you have their back so they can do the same for you is essential for good defense, but it can’t be bought or sold like a security solution or service. That’s why these questions have been so useful for me, and I hope they will help you, too.
Perhaps, you’ve already figured out other questions boards should be asking. If you have, please share them with me. Because one thing this process has reminded me is that there should be no “ego” in cybersecurity. Good ideas come from everywhere because that’s what’s necessary to keep up the good fight.