When it comes to cybersecurity, it’s not uncommon to hear concerns on a feast-or-famine basis. If you’ve avoided major incidents, you’ll hear, Why so worried – we haven’t had a breach so we have a handle on security, right? Why are we spending so much?
But when a high-profile breach happens in your industry, suddenly security is in the spotlight under a barrage of panicked questions.
That’s your opportunity to redirect panic and evolve a security mindset – before a breach affects your organization.
The timing has never been better: 88% of boards regard cybersecurity as a business risk rather than solely an IT problem in Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem.
As Gartner research director Sam Olyaei notes, “The CISO role must evolve from being the “de facto’” accountable person for treating cyber risks to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.”
Here’s how to focus answers to potential Board questions.
They ask: Are we safe?
They want to hear yes, but it’s not that simple.
Come prepared to speak to a mix of technical knowledge levels. Read the room — can you engage the group with some questions? If so, ask what kinds of threats THEY are most concerned about and why. This discussion will help you formulate a baseline of stakeholder knowledge and their approach to decision-making.
Effective Boards think in terms of ROI and business risk and it’s important to present your strategy in the clearest, most concise format possible.
It’s not the time for jargon or details about security tools. Have visuals prepared to back up your stance. For example, use a Risk Wall to outline the most common types of threats in terms of probability and risk to the business. Discuss the organization’s current security posture and protections, then explain your strategic prioritization with future moves plotted on an Importance/Difficulty matrix. (See examples below.)
Establish how and why the organization’s security posture must evolve with company growth and changing needs. Prior to a Board discussion, schedule time with stakeholders to determine key events and needs in the company’s both short-term and through the 5-year growth plan that will require new security measures and plans. Evolving security isn’t an overnight switch and integrating security with the larger business strategy can empower growth.
Define the “security mindset” and how this has to become a cultural mission with buy-in from every employee for prevention. And, though preventive measures can’t adapt as quickly as the threat landscape, the value of a security culture can’t be understated during an incident when all hands are needed on deck.
Preparation makes your response plan more effective, so connect those dots when they ask:
What happens if we’re attacked?
Make it clear: The reality is not IF but WHEN.
Give an overview of the response plan. Address preparation for different threat types discussed categorized in your Risk Matrix: what it takes to detect, respond to, and mitigate threats.
When a breach or incident happens, the big 3 questions are:
- Have you stopped the breach? How bad is it?
- How long until we’re back up?
- What exposure does this create for the company?
Let’s talk about each of these in terms of timeline and communication.
Before a breach:
Present a responsibility matrix with assigned roles and actions. This should include:
- Timeline for communication
- Hourly updates to Executive Team
- Planned decision meetings related to impacts
- Defined notifications, instructions, and timing to internal teams, customers, vendor/business associates, and regulatory/compliance bodies
- Broadly scope risk/exposure (such as customers, data, financial, regulatory, etc.)
- Define mitigation/remediation budget for different threat types
During a breach:
- Follow communication and action matrices
- Maintain an action plan by area with progress reporting
- Assure that an incident post-mortem and root cause analysis will be conducted after mitigation and/or remediation
- Complete a root cause analysis/post-mortem
- Discuss prevention and resilience
- Realign priorities and budget
Your demeanor – calm, confident, and with open communication will create confidence for and soothe a panicked — or just ultra-busy — Board. Stay focused on concise updates: the current state, goals, progress, and how the Board is your partner in evolving your security practice.